Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder Theme

Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder Theme

Posted on By CWS

Oct 09, 2025Ravie LakshmananVulnerability / Web site Safety
Menace actors are actively exploiting a vital safety flaw impacting the Service Finder WordPress theme that makes it potential to achieve unauthorized entry to any account, together with directors, and take management of prone websites.
The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS rating: 9.8), impacts the Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. It was found by a researcher who goes by the title Foxyyy.
“This vulnerability makes it potential for an unauthenticated attacker to achieve entry to any account on a web site, together with accounts with the ‘administrator’ function,” Wordfence researcher István Márton stated.
The issue, at its core, is a case of privilege escalation stemming from authentication bypass because of the plugin not adequately validating a person’s cookie worth earlier than logging them in by an account switching perform (service_finder_switch_back()).
Consequently, an unauthenticated attacker might reap the benefits of this habits to check in to the positioning as any person, together with directors, successfully hijacking the positioning and utilizing it for nefarious functions, resembling inserting malicious code to redirect customers to pretend websites or use it to host malware.

The shortcoming impacts all variations of the theme previous to and together with 6.0. It was addressed by the plugin maintainers on July 17, 2025, with the discharge of model 6.1. The theme has been offered to greater than 6,100 prospects, per information from Envato Market.
The WordPress safety firm stated it has noticed exploitation exercise focusing on CVE-2025-5947 since August 1, 2025, with over 13,800 makes an attempt detected up to now. Nonetheless, the success fee of those efforts is at present not clear.

The next IP addresses have been noticed focusing on the Service Finder Bookings plugin account switching perform –

5.189.221.98
185.109.21.157
192.121.16.196
194.68.32.71
178.125.204.198

Directors are really helpful to audit their websites for any indicators of suspicious exercise and guarantee all of the plugins and themes are working the most recent model.

The Hacker News Tags:, , , , , , , , ,

Related Posts

AI Is Already the #1 Data Exfiltration Channel in the Enterprise AI Is Already the #1 Data Exfiltration Channel in the Enterprise The Hacker News
CISA Flags TP-Link Router Flaws CVE-2023-50224 and CVE-2025-9377 as Actively Exploited CISA Flags TP-Link Router Flaws CVE-2023-50224 and CVE-2025-9377 as Actively Exploited The Hacker News
Critical RCE Bug Rated 9.9 CVSS in Backup & Replication Critical RCE Bug Rated 9.9 CVSS in Backup & Replication The Hacker News
USB Malware, React2Shell, WhatsApp Worms, AI IDE Bugs & More USB Malware, React2Shell, WhatsApp Worms, AI IDE Bugs & More The Hacker News
Germany Shuts Down eXch Over .9B Laundering, Seizes €34M in Crypto and 8TB of Data Germany Shuts Down eXch Over $1.9B Laundering, Seizes €34M in Crypto and 8TB of Data The Hacker News
Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents The Hacker News