Service Finder Plugin Flaw (CVE-2025-5947) Abused in Attacks

Security researchers have issued an urgent warning for WordPress users running the Service Finder Bookings plugin. The bug, catalogued as CVE-2025-5947, allows an unauthenticated attacker to bypass login protections and seize administrative control of a vulnerable site.

According to The Hacker News report published in October 2025, the exploit is already being actively abused, with thousands of attack attempts logged across compromised hosting environments.

The vulnerability impacts Service Finder Bookings ≤ 6.0, a plugin bundled with the commercial Service Finder theme sold on ThemeForest. The developer released version 6.1 on July 17 2025, addressing the issue.

The flaw carries a CVSS 9.8 (Critical) rating. Because the attack requires no authentication, privileges, or user interaction, exploitation is trivial and automated bots can hijack sites en masse.

Root Cause Cookie Validation Flaw

The vulnerability stems from insufficient cookie validation inside the service_finder_switch_back() function. This endpoint fails to verify that the requesting user owns the session cookie being processed.

Consequently, an attacker can forge a cookie for any account, submit it to the endpoint, and force WordPress to switch sessions instantly logging in as an administrator without knowing a password.

NVD classifies the flaw under CWE-639 (Authorization Bypass Through User-Controlled Key), confirming the impact as complete compromise of confidentiality, integrity, and availability.

Security researchers at Wordfence began detecting active exploitation of this vulnerability on August 1, 2025. Moreover, telemetry logs revealed more than 13,800 attack attempts within the first two weeks of activity. These incidents clearly demonstrate that automated scripts are targeting unpatched WordPress sites in large numbers.

Furthermore, most of the attacks originate from rotating IP pools, making simple IP bans ineffective. Instead, the attackers rely on scripted routines that automatically scan domains, craft forged cookies, and escalate privileges once a valid target is identified. As a result, even small or poorly maintained websites can be compromised within minutes of detection.

Once inside, adversaries rarely stop at simple intrusion. Typically, they:

• Install malicious SEO plugins to inject spam into site pages.

• Upload web shells to maintain long-term persistence.

• Create rogue administrator accounts to guarantee access even after cleanup.

Ultimately, this campaign highlights how attackers weaponize automation to exploit known vulnerabilities before administrators can apply patches.

Update and Audit Immediately

The plugin developer patched the vulnerability in Service Finder Bookings 6.1, released July 17 2025. If your site runs 6.0 or earlier, update immediately from your WordPress Dashboard → Plugins → Service Finder Bookings.

Post-update remediation checklist:

• Force logout all active sessions.

• Reset admin passwords and rotate application passwords.

• Review user lists for unfamiliar administrator accounts.

• Inspect wp-content/plugins/ and uploads/ for unauthorized files.

• Block known malicious IPs at your firewall or hosting provider.

Because attackers gain legitimate sessions, detection depends on behavioral logging:

• Check login events without MFA or password attempts.

• Audit user_meta for new wp_capabilities entries.

• Compare file hashes in wp-admin and wp-includes against clean installations.

• Inspect database records for unexpected plugin or theme edits.

Where compromise is suspected, restore from a known-clean backup and rotate all credentials.

Hardening WordPress Against Auth Bypass Exploits

This exploit underscores a recurring problem  insecure session handling in third-party plugins. Administrators should:

• Enforce MFA on all administrator accounts.

• Restrict access to wp-login.php by IP or reverse proxy.

• Disable unused XML-RPC and REST endpoints.

• Deploy a WAF that blocks malformed cookie or nonce traffic.

• Maintain a plugin inventory and remove unsupported add-ons.

Vendor and Ecosystem Notes

• NVD Listing: CVE-2025-5947 confirms the issue as an authorization bypass in service_finder_switch_back(); CVSS 9.8.

• Patchstack Advisory: echoes the flaw and patch timeline.

• GitHub Advisory Database: mirrors the CVE details.

• Credit: vulnerability disclosed by researcher Foxyyy, analyzed by István Márton (Wordfence Threat Intelligence).

Given the widespread exploitation, every unpatched Service Finder installation must be treated as compromised until proven otherwise. Even after updating, remnants of unauthorized code or malware may continue to operate covertly.

Therefore, administrators should remain vigilant beyond the initial patch cycle. They must continuously monitor access logs, enforce stronger authentication policies, and verify file integrity across all directories. In addition, maintaining a strict update cadence for all plugins and themes significantly reduces reinfection risk.

Finally, a properly configured Web Application Firewall (WAF) provides an essential last line of defense. It not only filters malicious traffic but also detects new attack patterns before they exploit additional vulnerabilities. By combining these controls, site owners can preserve operational integrity and restore trust in their WordPress environments.

FAQs

Q1. What versions are vulnerable?
All versions of Service Finder Bookings ≤ 6.0 are affected.

Q2. How severe is this exploit?
It’s rated CVSS 9.8 Critical because it enables unauthenticated admin access.

Q3. Has a patch been released?
Yes, version 6.1, released July 17 2025, fixes the bug.

Q4. Are attacks happening now?
Yes, Wordfence observed thousands of active attacks since early August 2025.

Q5. What should I do if I used this plugin?
Update immediately, audit accounts and logs, and treat the site as compromised until verified clean.