October 9, 2025 By Pierluigi Paganini
Threat actors are exploiting a critical flaw, tracked as CVE-2025-5947, in the Service Finder WordPress theme’s Bookings plugin.
Threat actors are exploiting a critical vulnerability, tracked as CVE-2025-5947 (CVSS score 9.8), in the Service Finder WordPress theme’s Bookings plugin.
The plugin (versions ≤6.0) has an authentication bypass issue allowing attackers to log in as any user, including admins, due to improper cookie validation.
“The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0.” reads the advisory published by Wordfence. “This is due to the plugin not properly validating a user’s cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.”
An attacker can exploit this authentication bypass vulnerability to takeover any accounts, including admin ones.
