Auth Bypass Flaw in Service Finder WordPress Plugin Under Active Exploit

Website owners using the Service Finder WordPress theme and its bundled Bookings plugin must update their software immediately, as a serious security flaw is currently being targeted by cybercriminals. This critical issue allows unauthorised individuals to take complete control of affected sites.

****Easy Access to Administrator Accounts****

The vulnerability, tracked as CVE-2025-5947, is an authentication bypass, which simply means a hacker can get past the login screen without a valid password. Security experts have given this flaw a very high severity score of 9.8 out of 10.

The problem lies in how the Service Finder Bookings plugin handles an account switching function. Attackers found they could exploit this by sending a request to the website while falsely attaching a cookie (a small piece of hidden data) that identifies them as the site’s administrator. The plugin failed to properly check if this identifying data was real or fake.

This oversight allows any hacker (even one who has no account on the site) to trick the system into logging them in as any user, including the site’s administrator. Once logged in as an administrator, they can inject harmful code, send visitors to fake websites, or even use the site to host malicious software.

****Discovery and Active Attacks****

The flaw was initially found by a researcher known as Foxyyy and reported to the Wordfence Bug Bounty Program. Wordfence, a leading WordPress security firm, facilitated the responsible disclosure process and published the details, including the researcher’s name, on their platform.

According to the Wordfence blog post, the issue affects all versions of the theme up to and including version 6.0. The maintainers of the theme quickly released a fix in version 6.1 on July 17, 2025. However, it was later identified that despite the patch being available, attackers started actively exploiting the flaw almost immediately, beginning on August 1, 2025.

Furthermore, over 13,800 attempts to exploit this vulnerability have been detected since that date. The Service Finder theme has been purchased by more than 6,000 customers, which means thousands of websites could still be at risk.

Website administrators are strongly urged to update the Service Finder theme and plugin to version 6.1 or later right away. It is worth noting that for those running security software like the Wordfence firewall, many of these attack attempts have been blocked. This is because the firewall detects the malicious, fake cookie data being used by the attacker and immediately blocks the request before it can reach the vulnerable part of the website.

(Source: Wordfence)

However, updating your software remains the best and most complete defence to prevent this kind of unauthorised access.

“The pure deja vu of another critical WordPress vulnerability cannot be ignored as threat actors are increasingly automating the exploitation of common CMS plugins to gain persistent access to web infrastructure,“ said Gunter Ollmann, CTO at Cobalt.

“Once inside, adversaries can pivot to distributing malware, stealing credentials, or using compromised sites in larger botnets,” Ollmann warned. _“_The WordPress ecosystem’s accessibility makes it a prime target, and with so many vulnerabilities like this over the years, security teams should treat the service as untrusted and strengthen systems around it to protect critical data and connected systems.”