Over the previous two months, risk actors have weaponized a essential authentication bypass flaw within the Service Finder Bookings WordPress plugin, enabling them to hijack any account on compromised websites.
First disclosed on July 31, 2025, the vulnerability emerged after a bug bounty submission revealed that the plugin’s servicefinderswitchback operate didn’t validate a user-switch cookie earlier than elevating privileges.
Attackers shortly reverse-engineered the weak spot, triggering mass exploitation campaigns that started on August 1 and intensified all through September.
Throughout this era, the Wordfence Firewall blocked greater than 13,800 exploit makes an attempt throughout 1000’s of web sites operating affected variations.
In its preliminary probing part, adversaries despatched specifically crafted HTTP requests that included a malicious originaluserid cookie, bypassing authentication completely.
Wordfence analysts famous the sudden uptick in irregular switchback requests inside hours of public disclosure, prompting the speedy deployment of a firewall rule for all Wordfence Premium, Care, and Response clients.
CVE IDAffected PluginVersions AffectedPatched VersionCVSS 3.1 ScoreAttack VectorCVE-2025-5947Service Finder Bookings≤ 6.06.19.8Authentication Bypass
Websites utilizing the free model acquired safety after a 30-day delay, leaving many installations uncovered till mid-July.
The impression of profitable exploitation is catastrophic: an unauthenticated actor good points full administrator privileges, permitting set up of backdoors, information exfiltration, or website defacement.
With over 6,000 lively installs of the weak plugin, the risk panorama widened as scanning bots and scripted exploit kits started probing for Service Finder Bookings endpoints.
An infection Mechanism
A better have a look at the exploit reveals that attackers goal the servicefinderswitchback endpoint by sending a GET request to ?switchback=1 with the Cookie: originaluserid=.
The plugin code then invokes:-
if ( isset( $_COOKIE[‘originaluserid’] ) ) {
$originaluserid = intval( $_COOKIE[‘originaluserid’] );
wp_set_current_user( $originaluserid );
wp_set_auth_cookie( $originaluserid, true );
}
As a result of neither authentication nor nonce checks are carried out, the attacker’s provided person ID is accepted unconditionally, logging them in as that person—typically the positioning administrator.
This easy but highly effective bypass underscores the significance of rigorous enter validation in session-handling routines.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
