Threat Advisories:
🎧 Hive Force Labs: October First Threat Research
👥 Play Count: Loading...

Service Finder Plugin Flaw Opens Door to Full Site Compromise

Red | Vulnerability Report
Download PDF

CVE-2025-5947: WordPress Service Finder Plugin Exploit Enables Full Site Takeover

Summary

A critical authentication bypass vulnerability (CVE-2025-5947) has been discovered in the WordPress Service Finder Bookings plugin, actively exploited by attackers to gain administrator-level access and full control over vulnerable websites. The flaw, identified on June 8, 2025, arises from improper cookie validation in the plugin’s account-switching feature, which allows unauthenticated users to impersonate admins and modify site content, settings, or install malicious payloads.

The vulnerability affects all plugin versions prior to 6.1 and has already seen thousands of exploitation attempts in the wild following public disclosure. With over 6,000 installations of the Service Finder plugin globally—commonly used for service scheduling, bookings, and payment management—this exposure poses a severe risk to small businesses and service providers operating WordPress-based platforms.

Although a security patch was released on July 17, 2025, exploitation began within days of public disclosure, emphasizing the urgent need for immediate remediation.


Vulnerability Details

The flaw exists within the plugin’s service_finder_switch_back() routine, which fails to perform proper authentication and authorization checks when switching user accounts. By manipulating cookies, attackers can directly bypass login mechanisms and assume administrative privileges.

Once exploited, an attacker can:

  • Access and modify site configurations, content, and databases.

  • Upload malicious files or install rogue plugins.

  • Create or delete admin accounts, enabling persistent access.

The vulnerability was first reported through a bug bounty program and publicly disclosed on July 31, 2025, after patch deployment. Exploitation attempts surged immediately afterward, with widespread scanning detected across WordPress-hosted environments.

Vulnerability Metadata:

  • CVE ID: CVE-2025-5947

  • Affected Product: WordPress Service Finder Bookings Plugin (versions < 6.1)

  • CPE: cpe:2.3:a:service_finder_bookings_plugin:service_finder_bookings_plugin::::::::

  • CWE ID: CWE-639 (Authorization Bypass Through User-Controlled Key)

  • Impact: Administrator Impersonation, Full Site Takeover.


Recommendations

  • Update Immediately: Install Service Finder Bookings Plugin version 6.1 or later to fully remediate the authentication bypass flaw.

  • Do Not Rely Solely on Firewalls: Web Application Firewalls (WAFs) and security plugins like Wordfence can block some attacks, but they cannot replace patching.

  • Audit Access Logs: Check for suspicious logins, user privilege changes, or unexpected administrative actions.

  • Enforce Strong Access Controls: Use unique, complex passwords for all admin accounts and enable two-factor authentication (2FA) for added protection.

  • Implement Continuous Vulnerability Management: Regularly assess and update all WordPress plugins, themes, and dependencies. Maintain a software inventory to track patch compliance and monitor third-party vendor security practices.


Indicators of Compromise (IoCs)

IPv4 Addresses Linked to Exploitation Attempts:

  • 5[.]189[.]221[.]98

  • 185[.]109[.]21[.]157

  • 192[.]121[.]16[.]196

  • 194[.]68[.]32[.]71

  • 178[.]125[.]204[.]198


MITRE ATT&CK TTPs

  • TA0042 – Resource DevelopmentT1588 (Obtain Capabilities), T1588.006 (Vulnerabilities)

  • TA0001 – Initial AccessT1190 (Exploit Public-Facing Application)

  • TA0004 – Privilege EscalationT1068 (Exploitation for Privilege Escalation), T1078 (Valid Accounts)


References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox