CVE-2025-5947 is a critical authorization bypass vulnerability classified under CWE-639, affecting the Service Finder Bookings plugin for WordPress developed by aonetheme. The vulnerability arises from improper validation of a user-controlled cookie within the service_finder_switch_back() function. This function is intended to allow users to switch back to their original accounts but fails to verify the authenticity of the cookie, enabling attackers to craft malicious cookie values. Consequently, an unauthenticated attacker can impersonate any user, including administrators, effectively bypassing all authentication mechanisms. This leads to privilege escalation, granting full control over the affected WordPress site. The vulnerability affects all versions up to and including 6.0 of the plugin. The CVSS 3.1 base score is 9.8 (critical), reflecting its network attack vector (AV:N), no required privileges (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no exploits have been reported in the wild yet, the ease of exploitation and the severity of impact make this a highly dangerous vulnerability. The lack of a patch at the time of disclosure increases the urgency for mitigation. Attackers exploiting this flaw could deface websites, steal sensitive data, inject malicious code, or use compromised sites as pivot points for further attacks.

For European organizations, the impact of CVE-2025-5947 can be severe. Many businesses and public sector entities rely on WordPress for their websites and service booking functionalities, especially small and medium enterprises (SMEs) in sectors like hospitality, healthcare, and professional services. Exploitation could lead to unauthorized administrative access, resulting in data breaches involving personal data protected under GDPR, website defacement, service disruption, and loss of customer trust. The ability to escalate privileges without authentication means attackers can fully control affected sites, potentially deploying ransomware or using the compromised infrastructure for phishing or further attacks. This could also lead to regulatory fines and reputational damage. Given the widespread use of WordPress and the plugin’s popularity, the scope of affected systems across Europe could be substantial, particularly in countries with high WordPress market penetration and active digital service sectors.

Immediate mitigation steps include auditing all WordPress installations for the presence of the Service Finder Bookings plugin and identifying versions up to 6.0. Until a vendor patch is released, organizations should disable or uninstall the plugin to prevent exploitation. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious cookie manipulation targeting the service_finder_switch_back() function can provide temporary protection. Restrict administrative access to trusted IP addresses and enforce multi-factor authentication (MFA) on WordPress admin accounts to reduce risk. Regularly monitor logs for unusual login activities or cookie anomalies. Organizations should subscribe to vendor and security community updates to apply patches promptly once available. Additionally, conducting penetration testing focused on authentication bypass scenarios can help identify other potential weaknesses. Backup critical data and ensure incident response plans are updated to handle potential compromises related to this vulnerability.