CVE-2025-6574 is an authorization bypass vulnerability categorized under CWE-639, affecting the Service Finder Bookings plugin for WordPress developed by aonetheme. The flaw exists because the plugin fails to properly validate the identity of users before allowing updates to sensitive account details such as email addresses. This improper validation enables authenticated attackers with minimal privileges (subscriber-level or above) to modify the email addresses of arbitrary users, including administrators. By changing an administrator's email, the attacker can trigger password reset mechanisms to gain full control over the administrator account, effectively escalating their privileges from a low-level user to a site administrator. The vulnerability affects all versions of the plugin prior to 6.1, with no patch currently available as per the provided data. The CVSS v3.1 score of 8.8 reflects the high impact and ease of exploitation: the attack vector is network-based, requires low attack complexity, privileges at the subscriber level, and no user interaction. The scope is unchanged but the impact on confidentiality, integrity, and availability is high, as attackers can fully compromise the site. This vulnerability poses a significant risk to WordPress sites using this plugin, as it can lead to complete site takeover, data theft, defacement, or further malware deployment.

For European organizations, this vulnerability presents a serious threat to the security and integrity of websites using the Service Finder Bookings plugin. Organizations in sectors such as hospitality, healthcare, education, and professional services that rely on WordPress for booking and appointment management could face unauthorized access to sensitive user data and administrative controls. Successful exploitation could lead to data breaches, loss of customer trust, disruption of services, and potential regulatory penalties under GDPR due to unauthorized access and data manipulation. The ability to escalate privileges from subscriber to administrator means attackers can implant malicious code, deface websites, or exfiltrate confidential information. Given the widespread use of WordPress in Europe and the popularity of booking plugins, the risk is amplified. Additionally, the lack of a patch increases exposure time, making timely mitigation critical. The vulnerability could also be leveraged in targeted attacks against organizations with strategic importance or high-profile web presence in Europe.

Immediate mitigation steps include restricting subscriber-level user capabilities and limiting the number of users with subscriber or higher roles until a patch is available. Administrators should monitor user account changes, especially email modifications, and implement multi-factor authentication (MFA) to reduce the risk of account takeover via password resets. Web application firewalls (WAFs) can be configured to detect and block suspicious requests attempting to change user emails or perform unauthorized account modifications. Site owners should audit plugin usage and consider disabling or replacing the Service Finder Bookings plugin if possible. Regular backups and monitoring for unusual activity are essential to enable quick recovery in case of compromise. Once the vendor releases a patch, immediate updating to version 6.1 or later is critical. Additionally, organizations should educate users about phishing risks related to password reset emails that could be triggered by this vulnerability.