Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder Theme

Steven

Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder Theme

Summary

A critical authentication-bypass vulnerability (CVE-2025-5947, CVSS 9.8) in the Service Finder Bookings plugin—bundled with the Service Finder WordPress theme—allows unauthenticated attackers to impersonate any user, including administrators. The flaw stems from inadequate validation of a cookie used by an account-switching function (service_finder_switch_back()). The issue affects all theme versions up to and including 6.0 and was fixed in version 6.1 (released 17 July 2025). The bug was discovered by researcher Foxyyy and publicised by Wordfence, which has observed exploitation attempts since 1 August 2025.

Key Points

  • Vulnerability: CVE-2025-5947 — authentication bypass leading to privilege escalation (CVSS 9.8).
  • Root cause: the plugin does not properly validate a user’s cookie before performing an account switch (service_finder_switch_back()).
  • Impact: an unauthenticated attacker can log in as any user, including administrators, and fully compromise affected sites.
  • Affected versions: Service Finder theme versions up to and including 6.0; fixed in plugin/theme version 6.1 (17 July 2025).
  • Scale: the theme has been sold to more than 6,100 customers on Envato Market.
  • Active exploitation: Wordfence detected exploitation attempts starting 1 August 2025, with over 13,800 attempts observed to date.
  • Observed attacker IPs: 5.189.221.98, 185.109.21.157, 192.121.16.196, 194.68.32.71, 178.125.204.198.
  • Recommended action: immediately update to the patched 6.1 release and audit sites for signs of compromise or unauthorised changes.

Why should I read this?

If you run WordPress sites that use the Service Finder theme or its bundled plugin, this is one to take seriously — it lets attackers sign in as admins without credentials. Quick read, faster action: update now and check for weird admin activity. Seriously, don’t leave it sitting.

Context and relevance

This vulnerability is significant because it provides a straightforward path for attackers to fully take over websites, insert malicious code, host malware or redirect visitors to phishing pages. It illustrates a wider trend: bundled plugins and account-switching features can introduce high-risk trust assumptions if cookie and session handling are not strictly validated. With thousands of customers and active exploitation observed, the issue is highly relevant to site owners, managed-hosting providers and security teams responsible for WordPress estates.

Practical steps: update Service Finder to 6.1 immediately, review access logs for unexplained logins or changes (especially from the listed IPs), rotate administrator credentials, check for backdoors or malicious admin users, and ensure backups are intact before remediation.

Source

Source: https://thehackernews.com/2025/10/critical-exploit-lets-hackers-bypass.html