Web site homeowners utilizing the Service Finder WordPress theme and its bundled Bookings plugin should replace their software program instantly, as a critical safety flaw is presently being focused by cybercriminals. This important challenge permits unauthorised people to take full management of affected websites.
Straightforward Entry to Administrator Accounts
The vulnerability, tracked as CVE-2025-5947, is an authentication bypass, which merely means a hacker can get previous the login display screen and not using a legitimate password. Safety consultants have given this flaw a really excessive severity rating of 9.8 out of 10.
The issue lies in how the Service Finder Bookings plugin handles an account switching operate. Attackers discovered they may exploit this by sending a request to the web site whereas falsely attaching a cookie (a small piece of hidden information) that identifies them as the location’s administrator. The plugin did not correctly examine if this figuring out information was actual or faux.
This oversight permits any hacker (even one who has no account on the location) to trick the system into logging them in as any consumer, together with the location’s administrator. As soon as logged in as an administrator, they will inject dangerous code, ship guests to faux web sites, and even use the location to host malicious software program.
Discovery and Lively Assaults
The flaw was initially discovered by a researcher referred to as Foxyyy and reported to the Wordfence Bug Bounty Program. Wordfence, a number one WordPress safety agency, facilitated the accountable disclosure course of and printed the main points, together with the researcher’s title, on their platform.
In line with the Wordfence weblog publish, the difficulty impacts all variations of the theme as much as and together with model 6.0. The maintainers of the theme shortly launched a repair in model 6.1 on July 17, 2025. Nonetheless, it was later recognized that regardless of the patch being out there, attackers began actively exploiting the flaw virtually instantly, starting on August 1, 2025.
Moreover, over 13,800 makes an attempt to use this vulnerability have been detected since that date. The Service Finder theme has been bought by greater than 6,000 clients, which suggests 1000’s of internet sites may nonetheless be in danger.
Web site directors are strongly urged to replace the Service Finder theme and plugin to model 6.1 or later immediately. It’s value noting that for these operating safety software program just like the Wordfence firewall, many of those assault makes an attempt have been blocked. It’s because the firewall detects the malicious, faux cookie information being utilized by the attacker and instantly blocks the request earlier than it may possibly attain the susceptible a part of the web site.
Nonetheless, updating your software program stays one of the best and most full defence to forestall this type of unauthorised entry.
Commentary on Net Safety
“The pure deja vu of one other important WordPress vulnerability can’t be ignored as menace actors are more and more automating the exploitation of frequent CMS plugins to achieve persistent entry to net infrastructure,“ stated Gunter Ollmann, CTO at Cobalt.
“As soon as inside, adversaries can pivot to distributing malware, stealing credentials, or utilizing compromised websites in bigger botnets,” Ollmann warned. “The WordPress ecosystem’s accessibility makes it a main goal, and with so many vulnerabilities like this over time, safety groups ought to deal with the service as untrusted and strengthen methods round it to guard important information and related methods.”
