A significant security flaw has been identified in the Service Finder WordPress theme, enabling unauthorized users to gain full control over affected websites. This vulnerability, designated as CVE-2025-5947 with a CVSS score of 9.8, is actively being exploited by malicious actors to access any account, including those with administrative privileges.
Understanding the Vulnerability
The issue resides in the Service Finder Bookings plugin, which is integrated with the Service Finder theme. Discovered by a researcher known as Foxyyy, the flaw stems from inadequate validation of user cookies within the plugin’s account switching function (`service_finder_switch_back()`). This oversight allows unauthenticated attackers to log in as any user, including administrators, thereby compromising the entire site.
Scope and Impact
All versions of the Service Finder theme up to and including 6.0 are affected by this vulnerability. The theme has been purchased by over 6,100 customers, according to data from Envato Market. Exploiting this flaw, attackers can hijack websites to insert malicious code, redirect users to fraudulent sites, or host malware, posing significant risks to site owners and visitors alike.
Exploitation Activity
Wordfence, a WordPress security company, has observed exploitation attempts targeting CVE-2025-5947 since August 1, 2025, with over 13,800 incidents detected to date. The success rate of these attacks remains unclear. Notably, the following IP addresses have been associated with these exploitation attempts:
– 5.189.221.98
– 185.109.21.157
– 192.121.16.196
– 194.68.32.71
– 178.125.204.198
Mitigation Measures
The developers addressed this vulnerability on July 17, 2025, with the release of version 6.1 of the Service Finder theme. Administrators are strongly advised to update their themes and plugins to the latest versions promptly. Additionally, conducting regular audits for suspicious activity and implementing robust security practices can help mitigate potential threats.
Conclusion
The discovery of CVE-2025-5947 underscores the critical importance of maintaining up-to-date software and vigilant security practices. Website administrators must act swiftly to patch vulnerabilities and protect their sites from unauthorized access and potential exploitation.
