Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Threat actors are actively exploiting a critical security flaw impacting the Service Finder WordPress theme that makes it possible to gain unauthorized access to any account, including administrators, and take control of susceptible sites.

The authentication bypass vulnerability, tracked as **CVE-2025-5947** (CVSS score: 9.8), affects the Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. It was discovered by a researcher who goes by the name Foxyyy.

"This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site, including accounts with the 'administrator' role," Wordfence researcher István Márton said.

The problem, at its core, is a case of privilege escalation stemming from authentication bypass due to the plugin not adequately validating a user's cookie value before logging them in through an account switching function (service_finder_switch_back()).

As a result, an unauthenticated attacker could take advantage of this behavior to sign in to the site as any user, including administrators, effectively hijacking the site and using it for nefarious purposes, such as inserting malicious code to redirect users to fake sites or use it to host malware.

DFIR Retainer Services

The shortcoming affects all versions of the theme prior to and including 6.0. It was addressed by the plugin maintainers on July 17, 2025, with the release of version 6.1. The theme has been sold to more than 6,100 customers, per data from Envato Market.

The WordPress security company said it has observed exploitation activity targeting CVE-2025-5947 since August 1, 2025, with over 13,800 attempts detected to date. However, the success rate of these efforts is currently not clear.

The following IP addresses have been observed targeting the Service Finder Bookings plugin account switching function -

* 5.189.221.98
* 185.109.21.157
* 192.121.16.196
* 194.68.32.71
* 178.125.204.198

Administrators are recommended to audit their sites for any signs of suspicious activity and ensure all the plugins and themes are running the latest version.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Visit Original Source

Basic Information

ID THN:BD48F5D6ABBC821E0BBABFAFB9AEE479

Published Oct 9, 2025 at 06:57

{
    "lastseen": "2025-10-09T07:01:10",
    "description": "![Bypass Authentication in WordPress](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\n\nThreat actors are actively exploiting a critical security flaw impacting the Service Finder WordPress theme that makes it possible to gain unauthorized access to any account, including administrators, and take control of susceptible sites.\n\nThe authentication bypass vulnerability, tracked as **CVE-2025-5947** (CVSS score: 9.8), affects the Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. It was discovered by a researcher who goes by the name Foxyyy.\n\n\"This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site, including accounts with the 'administrator' role,\" Wordfence researcher Istv\u00e1n M\u00e1rton said.\n\nThe problem, at its core, is a case of privilege escalation stemming from authentication bypass due to the plugin not adequately validating a user's cookie value before logging them in through an account switching function (service_finder_switch_back()).\n\nAs a result, an unauthenticated attacker could take advantage of this behavior to sign in to the site as any user, including administrators, effectively hijacking the site and using it for nefarious purposes, such as inserting malicious code to redirect users to fake sites or use it to host malware.\n\n![DFIR Retainer Services](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\n\nThe shortcoming affects all versions of the theme prior to and including 6.0. It was addressed by the plugin maintainers on July 17, 2025, with the release of version 6.1. The theme has been sold to more than 6,100 customers, per data from Envato Market.\n\nThe WordPress security company said it has observed exploitation activity targeting CVE-2025-5947 since August 1, 2025, with over 13,800 attempts detected to date. However, the success rate of these efforts is currently not clear.\n\n![](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\n\nThe following IP addresses have been observed targeting the Service Finder Bookings plugin account switching function -\n\n  * 5.189.221.98\n  * 185.109.21.157\n  * 192.121.16.196\n  * 194.68.32.71\n  * 178.125.204.198\n\n\n\nAdministrators are recommended to audit their sites for any signs of suspicious activity and ensure all the plugins and themes are running the latest version.\n\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\n",
    "published": "2025-10-09T06:57:00",
    "modified": "2025-10-09T06:57:35",
    "type": "thn",
    "title": "Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder Theme",
    "source": "",
    "references": "",
    "id": "THN:BD48F5D6ABBC821E0BBABFAFB9AEE479",
    "bulletinFamily": "info",
    "cwe": null,
    "cvelist": [
        "CVE-2025-5947"
    ],
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://thehackernews.com/2025/10/critical-exploit-lets-hackers-bypass.html",
    "category_name": "News",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder Theme_THN:BD48F5D6ABBC821E0BBABFAFB9AEE479

Description

Basic Information

💭 Join the Security Discussion ❌ Cancel Reply