The Service Finder WordPress theme, widely used for booking services, contains a critical authentication bypass vulnerability identified as CVE-2025-5947 with a CVSS score of 9.8. The vulnerability stems from the plugin's account switching function (service_finder_switch_back()), which fails to properly validate the user's cookie value before logging them in. This flaw allows an unauthenticated attacker to impersonate any user, including administrators, effectively bypassing authentication controls. Exploiting this vulnerability enables attackers to hijack websites, insert malicious payloads, redirect visitors to phishing or malware sites, and potentially use the compromised infrastructure for further attacks. The issue affects all versions of the theme up to and including 6.0 and was fixed in version 6.1 released on July 17, 2025. Since August 1, 2025, active exploitation attempts have been detected, with over 13,800 attempts recorded by Wordfence, though the exact success rate remains unknown. The theme has been sold to more than 6,100 customers globally via Envato Market, indicating a significant attack surface. Several IP addresses have been identified targeting the vulnerable function, suggesting coordinated scanning or exploitation campaigns. The vulnerability's root cause is a lack of proper cookie validation in the account switching mechanism, which is a critical security oversight in the plugin's authentication logic. This flaw allows privilege escalation without requiring any user interaction or prior authentication, making it highly dangerous and easy to exploit. The threat actors can gain full administrative control, compromising confidentiality, integrity, and availability of affected WordPress sites.

European organizations using the Service Finder theme are at high risk of unauthorized site takeover, leading to data breaches, defacement, and distribution of malware or phishing content. Compromised administrative accounts can result in loss of control over website content and user data, damaging reputation and trust. Attackers may leverage hijacked sites to launch further attacks within corporate networks or against customers, amplifying the impact. The widespread use of WordPress in Europe, including by SMEs and service providers, increases the potential scale of impact. Regulatory implications under GDPR could lead to significant fines if personal data is exposed due to exploitation. The threat also poses risks to e-commerce and service booking platforms relying on this theme, potentially disrupting business operations and revenue streams. Given the ease of exploitation and active scanning, organizations face an urgent need to respond to prevent compromise. The presence of known attacker IP addresses targeting European IP ranges suggests regional targeting or collateral scanning. Overall, the impact on confidentiality, integrity, and availability is severe, with potential cascading effects on business continuity and compliance.

Immediately update the Service Finder theme and its bundled Bookings plugin to version 6.1 or later, which contains the patch for CVE-2025-5947. Conduct thorough audits of WordPress sites using this theme to detect unauthorized access or suspicious administrative activity, including reviewing logs for unusual login events or changes. Implement Web Application Firewalls (WAF) with custom rules to block known malicious IP addresses and patterns targeting the vulnerable account switching function. Restrict administrative access by IP whitelisting or multi-factor authentication to reduce risk of account compromise. Regularly monitor site integrity using file integrity monitoring tools to detect unauthorized modifications. Educate site administrators on the risks of using outdated plugins and themes and enforce strict patch management policies. Consider isolating critical WordPress instances in segmented network zones to limit lateral movement if compromised. Engage in threat hunting to identify potential backdoors or persistence mechanisms installed by attackers exploiting this vulnerability. Coordinate with hosting providers to ensure they apply security best practices and assist in incident response if compromise is suspected. Finally, maintain regular backups of site data and configurations to enable rapid recovery if needed.