A critical security vulnerability in the Service Finder WordPress theme and its accompanying Bookings plugin is being actively exploited in the wild, allowing threat actors to bypass authentication and gain administrative control over websites1. The flaw, which affects all versions up to and including 6.0, was publicly disclosed on July 31, 2025, with widespread exploitation campaigns beginning just one day later1. This rapid weaponization highlights the persistent threat landscape for WordPress ecosystems, where unpatched vulnerabilities become immediate targets for malicious actors.
Vulnerability Overview and Technical Details
The vulnerability encompasses two distinct but severe issues tracked as CVE-2025-5947 and CVE-2025-5948, both carrying a critical CVSS score of 9.82. The first flaw, CVE-2025-5947, is an authentication bypass via a user switch cookie. It resides in the `service_finder_switch_back()` function, which fails to properly validate a user’s cookie value before logging them in. This allows an unauthenticated attacker to assume the identity of any user on the site, including administrators, by supplying a crafted cookie. The second flaw, CVE-2025-5948, is an account takeover vulnerability via the `claim_business` AJAX action. This function does not adequately verify a user’s identity before allowing them to claim a business, potentially enabling an attacker to take over an account. While this method might require a valid `claim_id` or subscriber-level access for brute-forcing, it remains a practical attack vector for privilege escalation1.
Exploitation Timeline and Attack Scale
The vulnerability’s lifecycle provides a clear example of the modern exploit development timeline. The issue was discovered and submitted via the Wordfence Bug Bounty Program on June 8, 2025. The vendor released a patch on July 17, 2025, and public disclosure followed on July 31, 20251. Active exploitation began on August 1, 2025, demonstrating that threat actors require less than 24 hours to weaponize a publicly disclosed vulnerability for widespread attacks. The Wordfence firewall has been instrumental in mitigating these attacks, blocking over 13,800 exploit attempts as of early October 2025. In a single 24-hour period preceding data collection, the firewall blocked 95 individual attacks targeting this vulnerability1. This data illustrates the persistent and automated nature of these exploitation campaigns.
Affected Software and Remediation Steps
The vulnerable component is the Service Finder Bookings plugin, which is often bundled with the Service Finder theme. All versions up to and including 6.0 are affected by these critical flaws. The patched version, 6.1, was released on July 17, 2025, and all users must update to this version or newer immediately1. For organizations using the Wordfence security platform, Premium, Care, and Response users received a protective firewall rule on June 13, 2025, while free users received the same protection on July 13, 2025, after the standard 30-day delay. Beyond applying the patch, administrators should conduct a thorough review of their sites for any signs of compromise, such as unauthorized administrative users, unfamiliar plugins, or modified core files. Monitoring access logs for requests to the `claim_business` AJAX endpoint or suspicious cookie-based authentication events is also recommended.
Broader Security Implications
This incident is not isolated but part of a concerning pattern where threat actors rapidly weaponize publicly disclosed WordPress plugin vulnerabilities. Similar rapid exploitation cycles have been observed with other plugins like OttoKit and themes like “Alone”1. This trend underscores the critical importance of applying security patches immediately upon release, as the window between public disclosure and active exploitation has shrunk to mere hours. For security teams, this reinforces the need for robust patch management processes and proactive threat hunting. The high number of blocked attacks also suggests that automated bots are constantly scanning the internet for vulnerable implementations, making any delay in patching a significant risk.
The active exploitation of the Service Finder vulnerability serves as a stark reminder of the operational risks associated with third-party WordPress components. The dual-vector nature of this flaw, allowing both direct authentication bypass and account takeover, provides multiple avenues for compromise. Organizations relying on WordPress must maintain rigorous inventory management of all themes and plugins and establish a process for prompt vulnerability assessment and patch application. The significant blocking statistics from Wordfence confirm that this vulnerability represents a clear and present danger to unpatched installations, demanding immediate attention from security and administrative teams.
