CVE-2025-5948 is a critical vulnerability affecting the Service Finder Bookings plugin for WordPress, developed by aonetheme. This vulnerability allows an unauthenticated attacker to perform privilege escalation through an authorization bypass mechanism. Specifically, the flaw resides in the claim_business AJAX action, where the plugin fails to properly validate the identity of users attempting to claim a business. This improper validation enables attackers to impersonate any user, including administrators, by exploiting the claim_id parameter. Although subscriber privileges or brute-force techniques are required to complete the business takeover, brute-forcing claim_id values is considered practical, making exploitation feasible. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), highlighting that the authorization logic can be circumvented by manipulating user-controlled input. The CVSS v3.1 score of 9.8 (critical) reflects the high impact on confidentiality, integrity, and availability, with no privileges or user interaction required for exploitation. This vulnerability affects all versions of the plugin up to and including version 6.0. No patches have been released at the time of this report, and there are no known exploits in the wild yet. However, the severity and ease of exploitation make it a significant threat to WordPress sites using this plugin.

For European organizations, this vulnerability poses a severe risk, especially for those relying on WordPress sites with the Service Finder Bookings plugin for business operations, booking management, or customer engagement. Successful exploitation could lead to full administrative account takeover, allowing attackers to manipulate site content, access sensitive customer data, disrupt booking services, or deploy further malware. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), financial losses, and operational downtime. Given the criticality and the fact that no authentication is required to initiate the attack, organizations with publicly accessible WordPress sites are at high risk. The vulnerability could also be leveraged as a foothold for lateral movement within corporate networks if the WordPress instance is integrated with internal systems. The absence of known exploits currently provides a window for proactive mitigation, but the practical brute-force approach to claim_id values means attackers could develop exploits rapidly.

Immediate mitigation steps include disabling or restricting access to the claim_business AJAX action if possible, especially from unauthenticated users. Organizations should monitor web server logs for suspicious requests targeting claim_business endpoints and unusual claim_id brute-force attempts. Implementing Web Application Firewall (WAF) rules to detect and block anomalous claim_id parameter patterns can reduce exposure. Until an official patch is released, consider removing or deactivating the Service Finder Bookings plugin if it is not critical to business operations. For sites requiring the plugin, restrict administrative access and enforce strong password policies to limit the impact of potential account takeovers. Regularly back up WordPress sites and databases to enable quick recovery. Additionally, organizations should stay alert for vendor updates or security advisories and apply patches immediately once available. Conducting internal penetration testing focused on this vulnerability can help assess exposure and readiness.