Hive Force Labs: October First Threat Research
Play Count: Loading... Hive Force Labs: October First Threat Research Play Count: Loading...A critical authentication bypass vulnerability (CVE-2025-5947) has been discovered in the WordPress Service Finder Bookings plugin, actively exploited by attackers to gain administrator-level access and full control over vulnerable websites. The flaw, identified on June 8, 2025, arises from improper cookie validation in the plugin’s account-switching feature, which allows unauthenticated users to impersonate admins and modify site content, settings, or install malicious payloads.
The vulnerability affects all plugin versions prior to 6.1 and has already seen thousands of exploitation attempts in the wild following public disclosure. With over 6,000 installations of the Service Finder plugin globally—commonly used for service scheduling, bookings, and payment management—this exposure poses a severe risk to small businesses and service providers operating WordPress-based platforms.
Although a security patch was released on July 17, 2025, exploitation began within days of public disclosure, emphasizing the urgent need for immediate remediation.
The flaw exists within the plugin’s service_finder_switch_back() routine, which fails to perform proper authentication and authorization checks when switching user accounts. By manipulating cookies, attackers can directly bypass login mechanisms and assume administrative privileges.
Once exploited, an attacker can:
Access and modify site configurations, content, and databases.
Upload malicious files or install rogue plugins.
Create or delete admin accounts, enabling persistent access.
The vulnerability was first reported through a bug bounty program and publicly disclosed on July 31, 2025, after patch deployment. Exploitation attempts surged immediately afterward, with widespread scanning detected across WordPress-hosted environments.
Vulnerability Metadata:
CVE ID: CVE-2025-5947
Affected Product: WordPress Service Finder Bookings Plugin (versions < 6.1)
CPE: cpe:2.3:a:service_finder_bookings_plugin:service_finder_bookings_plugin::::::::
CWE ID: CWE-639 (Authorization Bypass Through User-Controlled Key)
Impact: Administrator Impersonation, Full Site Takeover.
Update Immediately: Install Service Finder Bookings Plugin version 6.1 or later to fully remediate the authentication bypass flaw.
Do Not Rely Solely on Firewalls: Web Application Firewalls (WAFs) and security plugins like Wordfence can block some attacks, but they cannot replace patching.
Audit Access Logs: Check for suspicious logins, user privilege changes, or unexpected administrative actions.
Enforce Strong Access Controls: Use unique, complex passwords for all admin accounts and enable two-factor authentication (2FA) for added protection.
Implement Continuous Vulnerability Management: Regularly assess and update all WordPress plugins, themes, and dependencies. Maintain a software inventory to track patch compliance and monitor third-party vendor security practices.
IPv4 Addresses Linked to Exploitation Attempts:
5[.]189[.]221[.]98
185[.]109[.]21[.]157
192[.]121[.]16[.]196
194[.]68[.]32[.]71
178[.]125[.]204[.]198
TA0042 – Resource Development – T1588 (Obtain Capabilities), T1588.006 (Vulnerabilities)
TA0001 – Initial Access – T1190 (Exploit Public-Facing Application)
TA0004 – Privilege Escalation – T1068 (Exploitation for Privilege Escalation), T1078 (Valid Accounts)
Get through updates and upcoming events, and more directly in your inbox
