CVE-2025-5947 is a critical authorization bypass vulnerability identified in the Service Finder Bookings plugin for WordPress, developed by aonetheme. The vulnerability exists in all versions up to and including 6.0 due to improper validation of user-controlled cookie values within the service_finder_switch_back() function. This function is responsible for switching user sessions, but it fails to verify the authenticity of the cookie before logging in the user. As a result, an unauthenticated attacker can craft or manipulate cookie values to impersonate any user, including administrators, effectively bypassing authentication and escalating privileges. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS v3.1 base score is 9.8 (critical), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the attack can be performed remotely without authentication or user interaction, and it impacts confidentiality, integrity, and availability severely. Although no exploits have been publicly reported yet, the vulnerability's nature and ease of exploitation make it a high-risk threat. The plugin is widely used in WordPress environments for booking services, making many websites potentially vulnerable. The flaw allows attackers to gain full control over affected sites, potentially leading to data theft, site defacement, or further network compromise.

The impact of CVE-2025-5947 is severe for organizations using the Service Finder Bookings plugin on WordPress. Successful exploitation grants attackers full administrative access without authentication, compromising the confidentiality, integrity, and availability of the affected websites. Attackers can steal sensitive data, modify or delete content, inject malicious code, or use the compromised site as a pivot point for further attacks within the organization's network. This can lead to reputational damage, financial loss, regulatory penalties, and disruption of business operations. Given WordPress's widespread use globally, the vulnerability poses a significant risk to small businesses, enterprises, and service providers relying on this plugin for booking management. The ease of exploitation and lack of required user interaction increase the likelihood of automated attacks and mass exploitation attempts once public exploit code becomes available.

To mitigate CVE-2025-5947, organizations should immediately update the Service Finder Bookings plugin to a patched version once released by aonetheme. Until a patch is available, administrators should consider disabling the plugin or restricting access to the affected functionality. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious cookie manipulation attempts can provide interim protection. Monitoring web server and application logs for unusual login activity or cookie anomalies is critical for early detection. Additionally, enforcing multi-factor authentication (MFA) on WordPress admin accounts can reduce the impact of unauthorized access. Regular backups and incident response plans should be reviewed and tested to ensure rapid recovery in case of compromise. Developers and site administrators should audit custom code and third-party plugins for similar insecure session management practices to prevent analogous vulnerabilities.