Headline
Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder Theme
Threat actors are actively exploiting a critical security flaw impacting the Service Finder WordPress theme that makes it possible to gain unauthorized access to any account, including administrators, and take control of susceptible sites. The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS score: 9.8), affects the Service Finder Bookings, a WordPress plugin bundled with the
Vulnerability / Website Security
Threat actors are actively exploiting a critical security flaw impacting the Service Finder WordPress theme that makes it possible to gain unauthorized access to any account, including administrators, and take control of susceptible sites.
The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS score: 9.8), affects the Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. It was discovered by a researcher who goes by the name Foxyyy.
“This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site, including accounts with the ‘administrator’ role,” Wordfence researcher István Márton said.
The problem, at its core, is a case of privilege escalation stemming from authentication bypass due to the plugin not adequately validating a user’s cookie value before logging them in through an account switching function (service_finder_switch_back()).
As a result, an unauthenticated attacker could take advantage of this behavior to sign in to the site as any user, including administrators, effectively hijacking the site and using it for nefarious purposes, such as inserting malicious code to redirect users to fake sites or use it to host malware.
The shortcoming affects all versions of the theme prior to and including 6.0. It was addressed by the plugin maintainers on July 17, 2025, with the release of version 6.1. The theme has been sold to more than 6,100 customers, per data from Envato Market.
The WordPress security company said it has observed exploitation activity targeting CVE-2025-5947 since August 1, 2025, with over 13,800 attempts detected to date. However, the success rate of these efforts is currently not clear.
The following IP addresses have been observed targeting the Service Finder Bookings plugin account switching function -
- 5.189.221.98
- 185.109.21.157
- 192.121.16.196
- 194.68.32.71
- 178.125.204.198
Administrators are recommended to audit their sites for any signs of suspicious activity and ensure all the plugins and themes are running the latest version.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Related news
Every week, the cyber world reminds us that silence doesn’t mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done. This week’s edition looks at how attackers are changing the game — linking different flaws, working together across borders, and even turning trusted tools into weapons.
An Authentication Bypass (CVE-2025-5947) in Service Finder Bookings plugin allows any unauthenticated attacker to log in as an administrator. Over 13,800 exploit attempts detected. Update to v6.1 immediately.