Web site homeowners utilizing the Service Finder WordPress theme and its bundled Bookings plugin should replace their software program instantly, as a critical safety flaw is presently being focused by cybercriminals. This crucial concern permits unauthorised people to take full management of affected websites.
Straightforward Entry to Administrator Accounts
The vulnerability, tracked as CVE-2025-5947, is an authentication bypass, which merely means a hacker can get previous the login display screen and not using a legitimate password. Safety specialists have given this flaw a really excessive severity rating of 9.8 out of 10.
The issue lies in how the Service Finder Bookings plugin handles an account switching operate. Attackers discovered they might exploit this by sending a request to the web site whereas falsely attaching a cookie (a small piece of hidden information) that identifies them as the positioning’s administrator. The plugin did not correctly verify if this figuring out information was actual or pretend.
This oversight permits any hacker (even one who has no account on the positioning) to trick the system into logging them in as any consumer, together with the positioning’s administrator. As soon as logged in as an administrator, they will inject dangerous code, ship guests to pretend web sites, and even use the positioning to host malicious software program.
Discovery and Lively Assaults
The flaw was initially discovered by a researcher generally known as Foxyyy and reported to the Wordfence Bug Bounty Program. Wordfence, a number one WordPress safety agency, facilitated the accountable disclosure course of and printed the main points, together with the researcher’s identify, on their platform.
In response to the Wordfence weblog put up, the difficulty impacts all variations of the theme as much as and together with model 6.0. The maintainers of the theme rapidly launched a repair in model 6.1 on July 17, 2025. Nevertheless, it was later recognized that regardless of the patch being obtainable, attackers began actively exploiting the flaw nearly instantly, starting on August 1, 2025.
Moreover, over 13,800 makes an attempt to take advantage of this vulnerability have been detected since that date. The Service Finder theme has been bought by greater than 6,000 prospects, which suggests 1000’s of internet sites may nonetheless be in danger.
Web site directors are strongly urged to replace the Service Finder theme and plugin to model 6.1 or later straight away. It’s value noting that for these operating safety software program just like the Wordfence firewall, many of those assault makes an attempt have been blocked. It’s because the firewall detects the malicious, pretend cookie information being utilized by the attacker and instantly blocks the request earlier than it might probably attain the weak a part of the web site.
Nevertheless, updating your software program stays the very best and most full defence to forestall this sort of unauthorised entry.
Commentary on Net Safety
“The pure deja vu of one other crucial WordPress vulnerability can’t be ignored as risk actors are more and more automating the exploitation of frequent CMS plugins to realize persistent entry to internet infrastructure,“ stated Gunter Ollmann, CTO at Cobalt.
“As soon as inside, adversaries can pivot to distributing malware, stealing credentials, or utilizing compromised websites in bigger botnets,” Ollmann warned. “The WordPress ecosystem’s accessibility makes it a chief goal, and with so many vulnerabilities like this over time, safety groups ought to deal with the service as untrusted and strengthen techniques round it to guard crucial information and linked techniques.”
