In recent months, cyber attackers have actively exploited a significant authentication bypass vulnerability in the Service Finder Bookings WordPress plugin, enabling unauthorized access to administrator accounts on affected websites. This flaw, identified as CVE-2025-5947, was publicly disclosed on July 31, 2025, following a bug bounty report that highlighted the plugin’s failure to validate user-switch cookies in its `servicefinderswitchback` function.
Discovery and Disclosure
The vulnerability was initially uncovered through a bug bounty program, where researchers found that the `servicefinderswitchback` function did not properly validate user-switch cookies before elevating user privileges. This oversight allowed attackers to craft malicious HTTP requests containing a specially designed `originaluserid` cookie, effectively bypassing authentication mechanisms.
Exploitation Timeline
Exploitation of this vulnerability began almost immediately after its disclosure. By August 1, 2025, mass exploitation campaigns were underway, with a significant increase in attack attempts observed throughout September. During this period, security firm Wordfence reported blocking over 13,800 exploit attempts across thousands of websites utilizing vulnerable versions of the plugin.
Technical Details of the Exploit
The core issue lies in the plugin’s handling of the `servicefinderswitchback` endpoint. Attackers send a GET request to `?switchback=1` accompanied by a malicious `originaluserid` cookie. The plugin’s code processes this request as follows:
“`php
if ( isset( $_COOKIE[‘originaluserid’] ) ) {
$originaluserid = intval( $_COOKIE[‘originaluserid’] );
wp_set_current_user( $originaluserid );
wp_set_auth_cookie( $originaluserid, true );
}
“`
Due to the absence of authentication or nonce checks, the plugin accepts the attacker-supplied user ID without verification, granting them administrator-level access.
Impact on Websites
With over 6,000 active installations of the vulnerable plugin, the potential impact is substantial. Successful exploitation allows attackers to:
– Install backdoors
– Exfiltrate sensitive data
– Deface websites
The rapid adoption of this exploit by malicious actors underscores the critical need for prompt vulnerability management.
Mitigation Measures
Website administrators using the Service Finder Bookings plugin should take immediate action:
1. Update the Plugin: Ensure the plugin is updated to version 6.1 or later, where the vulnerability has been patched.
2. Audit User Accounts: Review all user accounts for unauthorized additions or changes.
3. Monitor Logs: Examine server logs for unusual activity, particularly requests to the `servicefinderswitchback` endpoint.
4. Implement Security Measures: Consider deploying a Web Application Firewall (WAF) to detect and block exploit attempts.
Conclusion
The swift exploitation of the CVE-2025-5947 vulnerability highlights the importance of timely updates and vigilant security practices. Administrators must remain proactive in monitoring and securing their WordPress installations to protect against such threats.
