Privilege Escalation Vulnerability in Service Finder Bookings Plugin by WordPress
CVE-2025-5947
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 1 August 2025
Badges
What is CVE-2025-5947?
CVE-2025-5947 is a privilege escalation vulnerability found in the Service Finder Bookings plugin for WordPress, specifically in all versions up to and including 6.0. This vulnerability arises from a failure to properly validate user cookie values during the authentication process within the service_finder_switch_back() function. As a result, this oversight allows unauthenticated attackers to gain access to user accounts, including those with administrative privileges, without requiring valid credentials. The implications of this fault can be severe, potentially allowing attackers to manipulate site settings, access sensitive data, and execute administrative functions, thereby undermining the integrity and security of WordPress sites utilizing the affected plugin.
Potential impact of CVE-2025-5947
-
Unauthorized Access: Unauthenticated users can exploit this vulnerability to log in as any user, including administrators. This compromises user control over the site, leading to unauthorized changes and actions.
-
Data Breach Risk: The ability to gain administrative access may expose sensitive user data or business-critical information, heightening the risk of data breaches that can have legal and financial repercussions.
-
System Compromise: Attackers exploiting this vulnerability could alter site configurations or deploy malicious content, potentially leading to broader system compromises, website defacements, or malware distribution, all of which can severely damage an organization’s reputation and operational integrity.
Affected Version(s)
Service Finder Bookings * <= 6.0
News Articles
Security AffairsCVE-2025-5947CVE-2025-5947: WordPress Plugin flaw lets hackers access Admin accounts
Threat actors are exploiting a critical flaw, tracked as CVE-2025-5947, in the Service Finder WordPress theme’s Bookings plugin.
3 days ago
The Hacker NewsCVE-2025-5947Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder Theme
Critical WordPress flaw CVE-2025-5947 exploited in 13,800 attacks lets hackers hijack Service Finder sites.
4 days ago
Hackers exploit auth bypass in Service Finder WordPress theme
Threat actors are actively exploiting a critical vulnerability in the Service Finder WordPress theme that allows them to bypass authentication and log in as administrators.
4 days ago
References
CVSS V3.1
Timeline
- 👾
Exploit known to exist
- 📰
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved