Introduction

A critical vulnerability in the Service Finder Bookings component used by the Service Finder WordPress theme permits unauthenticated attackers to impersonate any user — including administrators — and fully compromise affected sites. The issue, tracked as CVE-2025-5947, should be treated as an urgent patch-and-audit priority for site owners and hosting providers.

Background / Context

Service Finder is a commercial WordPress theme that bundles a Bookings plugin to handle appointment scheduling and account switching. The theme has been widely distributed through marketplaces and is actively used on thousands of sites. The Bookings plugin included an account-switching capability intended for administrators and service managers; however, the implementation did not adequately validate cookie values used to perform an account switch.

The failure to validate the user switch cookie allowed unauthenticated attackers to trigger the plugin’s service_finder_switch_back() functionality and receive an authenticated session for any account on the site — including admin accounts. This is a classical authentication-bypass privilege escalation and carries the risk of full site compromise.

Technical Details

• Vulnerability class: Authentication bypass leading to privilege escalation (improper validation of user-supplied cookie).
• Affected code path: Account switching function service_finder_switch_back() in the Service Finder Bookings plugin.
• Root cause: The plugin logged users in based on an unchecked cookie value. The value was not cryptographically validated or tied to a server-side session/token, enabling attackers to craft or replay a cookie and gain an authenticated session.
• Impact: Complete account takeover, including the ability to create or delete administrator accounts, install or modify plugins/themes, upload backdoors or web shells, inject malicious redirects, and exfiltrate data.

Timeline of Events

• Vulnerability discovery and initial reporting — June 2025 (reported through vulnerability disclosure channels).
• Patch release — July 17, 2025 (Service Finder Bookings version 6.1, which fixes the cookie validation/account-switch handling).
• Public disclosures and advisories — July–August 2025 and ongoing security reporting.
• Active exploitation observed — security telemetry shows active exploitation and scanning from August 1, 2025, continuing into October 2025.

Indicators of Compromise (IoCs)

Security vendors and incident responders have observed scanning and exploitation attempts against the vulnerable endpoint. Example IP addresses that have been associated with activity targeting the Bookings plugin account switching function include:

• 5.189.221.98
• 185.109.21.157
• 192.121.16.196
• 194.68.32.71
• 178.125.204.198

Note: Attackers can (and frequently do) rotate infrastructure rapidly. IP-based blocking can be a short-term mitigation but is not a substitute for patching and comprehensive remediation.

Impact / Scope

• Severity: Critical (CVSS 9.8).
• Affected versions: Service Finder Bookings plugin ≤ 6.0.
• Fixed in: Service Finder Bookings 6.1 (released July 17, 2025).
• Distribution footprint: The theme has been sold to thousands of customers via marketplaces; active installations represent a substantial attack surface for opportunistic and targeted attackers.

Response / Mitigation Guidance (Actionable Checklist)

1. Patch immediately: Upgrade the Service Finder Bookings plugin/theme to version 6.1 or later. If you cannot patch immediately, deactivate the Bookings plugin until a patch can be applied.
2. Audit administrator accounts: Look for unexpected admin users, privilege escalations, or credential resets.
3. Review logs: Search web server and WordPress logs for suspicious activity, especially requests to endpoints associated with account switching and for successful logins originating from the IoC addresses above.
4. Check file integrity: Look for recently modified PHP files in wp-content/themes/ and wp-content/plugins/, new plugins, or unknown scheduled tasks.
5. Rotate credentials: Reset passwords for administrator accounts and revoke any API keys or credentials that may have been stored in the site.
6. Harden access controls: Enforce MFA for all administrator accounts, limit access to wp-admin to trusted IPs where possible, and use principle of least privilege for accounts.
7. Scan and remove backdoors: Use reputable malware scanners and, if compromise is suspected, perform a full forensic analysis and restore from a known-good backup.
8. Notify stakeholders: If sensitive data might have been exposed, follow your incident response and disclosure policies.

Expert Commentary

This vulnerability illustrates a recurring class of web application failures: design assumptions about server-side state and client-supplied tokens. Account-switch features are operationally useful but must rely on server-controlled, cryptographically protected tokens and explicit authorization checks. The lack of validation of a user-supplied cookie made an otherwise routine convenience feature into a catastrophic failure mode.

Administrators should treat convenience features that manipulate authentication state as high-risk and ensure they are implemented using secure, server-side session management patterns and strong cryptographic validation.

Outlook

Given the critical severity and widespread distribution of the theme, attackers will continue to scan for and attempt exploitation of vulnerable instances until the population of unpatched sites is reduced. Marketplace vendors, hosting providers, and site maintainers should prioritize patch deployment and proactive scanning. Monitoring and rapid response will be essential to prevent persistent compromises.

References / Source Attribution

Sources used to compile this advisory include vulnerability intelligence and public reporting from major security vendors and vulnerability databases. For technical verification consult vendor advisories, the NVD/CVE entry for CVE-2025-5947, and security vendor write-ups.