Menace actors are actively exploiting a crucial security flaw impacting the Service Finder WordPress theme that makes it attainable to realize unauthorized entry to any account, together with directors, and take management of inclined websites.
The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS rating: 9.8), impacts the Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. It was found by a researcher who goes by the title Foxyyy.
“This vulnerability makes it attainable for an unauthenticated attacker to realize entry to any account on a website, together with accounts with the ‘administrator’ position,” Wordfence researcher István Márton mentioned.
The issue, at its core, is a case of privilege escalation stemming from authentication bypass because of the plugin not adequately validating a person’s cookie worth earlier than logging them in by way of an account switching perform (service_finder_switch_back()).
Because of this, an unauthenticated attacker may make the most of this habits to sign up to the location as any person, together with directors, successfully hijacking the location and utilizing it for nefarious functions, reminiscent of inserting malicious code to redirect customers to faux websites or use it to host malware.
The shortcoming impacts all variations of the theme previous to and together with 6.0. It was addressed by the plugin maintainers on July 17, 2025, with the discharge of model 6.1. The theme has been offered to greater than 6,100 prospects, per information from Envato Market.
The WordPress security firm mentioned it has noticed exploitation exercise concentrating on CVE-2025-5947 since August 1, 2025, with over 13,800 makes an attempt detected up to now. Nonetheless, the success charge of those efforts is presently not clear.
The next IP addresses have been noticed concentrating on the Service Finder Bookings plugin account switching perform –
- 5.189.221.98
- 185.109.21.157
- 192.121.16.196
- 194.68.32.71
- 178.125.204.198
Directors are really helpful to audit their websites for any indicators of suspicious exercise and guarantee all of the plugins and themes are operating the newest model.
