CVE-2025-5949 is an authorization bypass vulnerability classified under CWE-639, found in the Service Finder Bookings plugin for WordPress developed by aonetheme. The flaw exists because the plugin fails to properly verify the identity of a user before processing password change requests. Authenticated attackers with subscriber or higher privileges can exploit this weakness to reset passwords of other users, including administrators, effectively escalating their privileges and potentially taking over accounts. The vulnerability affects all versions up to and including 6.0. The CVSS v3.1 score of 8.8 reflects a high-severity issue with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacts confidentiality, integrity, and availability. This means an attacker only needs a low-level authenticated account to perform the attack remotely without any additional user action. The lack of proper authorization checks during password resets is the root cause, enabling attackers to bypass intended access controls. Although no public exploits have been reported yet, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple user roles and administrative accounts. The plugin is commonly used for managing service bookings, making it attractive for attackers targeting service providers and businesses relying on online appointment systems.

For European organizations, this vulnerability could lead to unauthorized account takeovers, including administrative accounts, resulting in full site compromise. Attackers could manipulate bookings, access sensitive customer data, disrupt service availability, or deploy further malware or ransomware. The breach of administrator credentials could allow attackers to modify site content, steal data, or pivot to other internal systems. Organizations in sectors such as healthcare, legal, education, and professional services that use Service Finder Bookings for client scheduling are particularly vulnerable. The impact extends to reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruptions. Given the plugin’s widespread use in small to medium enterprises across Europe, the threat surface is substantial. The ease of exploitation and high privileges gained make this a critical risk for maintaining trust and compliance in digital services.

Immediate mitigation steps include restricting user roles to the minimum necessary privileges, especially limiting subscriber accounts from accessing password reset functionalities. Organizations should monitor logs for unusual password reset activities and implement multi-factor authentication (MFA) for administrative accounts to reduce the risk of takeover. Until an official patch is released, consider disabling or replacing the Service Finder Bookings plugin with alternative booking solutions that do not have this vulnerability. Web application firewalls (WAFs) can be configured to detect and block suspicious password reset requests. Regular backups and incident response plans should be updated to prepare for potential exploitation. Once patches become available from aonetheme, prompt application is critical. Additionally, educating users about phishing and credential security can help mitigate risks from compromised accounts.