No Comments

Critical WordPress Flaw Exposes Service Finder Sites to Full Takeover

 

Threat actors continue to exploit a critical security flaw in the Service Finder WordPress theme, which allows them to gain unauthorized access to any account—including administrators—and seize control of vulnerable sites.

The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS score: 9.8), affects the Service Finder Bookings plugin bundled with the Service Finder theme. Researcher Foxyyy discovered the issue and reported it for further analysis.

“This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site, including accounts with the ‘administrator’ role,” Wordfence researcher István Márton said.

At its core, the problem stems from a privilege escalation flaw caused by improper authentication checks. Specifically, the plugin fails to properly validate a user’s cookie value before logging them in through the account switching function (service_finder_switch_back()).

Consequently, unauthenticated attackers can exploit this weakness to sign in as any user, including administrators. Once inside, they can hijack the site and carry out malicious actions, such as injecting code that redirects visitors to fraudulent pages or using the site to host malware.

The vulnerability impacts all versions of the theme up to and including 6.0. The plugin maintainers fixed the issue on July 17, 2025, with the release of version 6.1. According to Envato Market data, more than 6,100 customers purchased the theme.

Since August 1, 2025, the WordPress security company has observed continuous exploitation attempts targeting CVE-2025-5947. So far, it has detected over 13,800 attacks, though the actual success rate remains unclear.

Security analysts have identified the following IP addresses actively targeting the Service Finder Bookings plugin account switching function:

  • 5.189.221.98
  • 185.109.21.157
  • 192.121.16.196
  • 194.68.32.71
  • 178.125.204.198

Given these findings, administrators should immediately audit their sites for any indicators of compromise or suspicious activity. They should also verify that all plugins and themes run the latest available versions to minimize exposure and strengthen overall security posture.

 


Source: TheHackerNews

Read more at Impreza News

You might also like

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.