CVE-2025-5948 is a critical authorization bypass vulnerability classified under CWE-639, affecting the Service Finder Bookings plugin for WordPress developed by aonetheme. The vulnerability exists in the claim_business AJAX action, where the plugin fails to properly validate the identity of users attempting to claim a business listing. This flaw allows unauthenticated attackers to escalate privileges by taking over accounts, including administrative users. The attack requires either subscriber privileges or brute forcing to obtain valid claim_id parameters, which are used to identify business claims. Because the claim_id can be brute forced practically, attackers can impersonate any user, including admins, leading to full site compromise. The vulnerability impacts all versions up to and including 6.0 of the plugin. The CVSS 3.1 base score is 9.8, indicating critical severity with network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No official patches or fixes have been released as of now, and no known exploits have been reported in the wild. The vulnerability was reserved in June 2025 and published in September 2025. This flaw poses a significant risk to WordPress sites using this plugin, potentially allowing attackers to gain complete control over the site and its data.

The impact of CVE-2025-5948 is severe for organizations running WordPress sites with the vulnerable Service Finder Bookings plugin. Successful exploitation allows attackers to take over any user account, including administrators, leading to full site compromise. This can result in unauthorized access to sensitive data, defacement, insertion of malicious code, disruption of services, and use of the compromised site as a launchpad for further attacks. The vulnerability undermines the confidentiality, integrity, and availability of the affected systems. Given the plugin's use in service booking and business listings, attackers could manipulate business information or disrupt customer interactions, damaging reputation and trust. The ease of exploitation without authentication or user interaction increases the risk of widespread attacks. Organizations may face regulatory and compliance consequences if customer data is exposed. The lack of patches exacerbates the threat, requiring immediate mitigation to prevent exploitation.

1. Immediately disable or deactivate the Service Finder Bookings plugin until a security patch is released. 2. Monitor and restrict access to the claim_business AJAX endpoint using web application firewalls (WAF) or custom rules to block suspicious requests, especially those attempting to brute force claim_id values. 3. Implement rate limiting on AJAX endpoints to reduce the feasibility of brute force attacks. 4. Enforce strong subscriber account security policies, including multi-factor authentication (MFA) and strong password requirements, to reduce the risk of privilege abuse. 5. Audit existing user accounts and business claims for unauthorized changes or suspicious activity. 6. Keep WordPress core and all plugins updated and subscribe to security advisories from the plugin vendor and WordPress security communities. 7. Prepare incident response plans to quickly respond to potential exploitation. 8. Consider isolating or sandboxing the plugin functionality if disabling is not feasible, limiting its access to critical resources. 9. Once a patch is available, apply it immediately and verify the fix through testing. 10. Educate site administrators about the risks and signs of compromise related to this vulnerability.