Threat actors are actively exploiting a critical security flaw affecting the Service Finder WordPress theme that allows them to gain unauthorized access to any account, including administrators, and take control of susceptible sites.
The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS score: 9.8), affects Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. It was discovered by a researcher named Foxyyy.
“This vulnerability allows an unauthenticated attacker to gain access to any account on the site, including accounts with the ‘admin’ role,” said Wordfence researcher Istvan Marton.
At the core of this issue is a case of privilege escalation due to authentication bypass, as the plugin does not properly validate the user’s cookie value before logging in through the account switch functionality (service_finder_switch_back()).
As a result, an unauthenticated attacker could take advantage of this behavior by signing in to a site as any user, including an administrator, effectively taking over the site and using it for illicit purposes, such as injecting malicious code to redirect users to a fake site or using the site to host malware.
This drawback affects all versions of the theme prior to 6.0. This issue was addressed by the plugin administrator on July 17, 2025 with the release of version 6.1. According to Envato Market data, this theme has been sold to over 6,100 customers.
The WordPress security firm said it has been observing exploit activity targeting CVE-2025-5947 since August 1, 2025, and has detected over 13,800 attempts to date. However, the success rate of these efforts is currently unclear.
The following IP addresses have been observed targeting the account switching functionality of the Service Finder Bookings plugin –
5.189.221.98 185.109.21.157 192.121.16.196 194.68.32.71 178.125.204.198
We recommend that administrators audit their sites for signs of suspicious activity and ensure that all plugins and themes are running the latest versions.
Source link
