12. 10. 2025 | Natalie Bezděková

0

• Share with others    

A critical security vulnerability has been discovered and is already being actively exploited in the popular WordPress theme Service Finder and its built-in plugin Service Finder Bookings. The flaw allows attackers to bypass authentication entirely and log in as any user — including administrators. The issue has been assigned CVE-2025-5947 and carries a CVSS score of 9.8, making it one of the most severe WordPress vulnerabilities reported this year.

The bug stems from improper cookie validation in the account-switching function (service_finder_switch_back()). Because the plugin fails to properly verify cookie values, an unauthenticated attacker can craft a malicious request that tricks the system into logging them in as any existing user on the site. Once inside, the attacker can upload malware, redirect visitors to phishing pages, or hijack the website for malicious distribution campaigns.

All versions of the theme up to and including 6.0 are vulnerable. The developers released a patched version (6.1) on July 17, 2025. However, researchers at Wordfence have already observed active exploitation attempts since August 1, 2025, detecting more than 13,800 attack attempts targeting unpatched sites. The company warns that successful exploitation grants full administrative control over affected websites.

Administrators using Service Finder are urged to immediately update to version 6.1 or later, review user accounts for unauthorized access, and replace all passwords. It is also strongly recommended to enable two-factor authentication, limit login attempts, and monitor server logs for suspicious activity.

This incident serves as another reminder of how third-party themes and plugins can expose WordPress installations to critical risks when not properly maintained. With WordPress powering over 40 % of all websites globally, vulnerabilities like this provide a lucrative target for cybercriminals looking to deploy phishing kits, ransomware, or crypto-mining scripts through compromised pages. In short, if your website runs Service Finder, update it immediately. Even a few hours of delay can leave your site — and your visitors — wide open to compromise.

Photo source: www.pexels.com

Natalie Bezděková

I am a student of Master's degree in Political Science. I am interested in marketing, especially copywriting and social media. I also focus on political and social events at home and abroad and technological innovations. My free time is filled with sports, reading and a passion for travel.