CVE-2025-6574 is a vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Service Finder Bookings plugin for WordPress developed by aonetheme. The flaw exists in all versions up to, but excluding, version 6.1. The core issue is that the plugin fails to properly validate the identity of a user before allowing updates to sensitive account details such as email addresses. This improper validation enables an authenticated attacker with subscriber-level privileges or higher to modify the email address of any user, including administrators. By changing the email address, the attacker can initiate a password reset process, effectively taking over the targeted account. The vulnerability is remotely exploitable over the network without requiring user interaction, and the attacker only needs low privileges (subscriber or above) to exploit it. The CVSS 3.1 base score is 8.8, indicating a high severity with network attack vector, low attack complexity, privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits are known at this time, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple user roles and administrative accounts. The lack of a patch link suggests that a fix is pending or not yet publicly available, emphasizing the need for vigilance and interim mitigations.

The vulnerability allows attackers to escalate privileges from low-level subscriber accounts to full administrative control by hijacking accounts through email changes and password resets. For European organizations, this can lead to unauthorized access to sensitive data, disruption of services, and potential data breaches. Compromised administrator accounts can be used to deploy malware, deface websites, or pivot to other internal systems. Given the widespread use of WordPress across Europe, especially in small and medium enterprises, the impact could be significant. Organizations in regulated sectors such as finance, healthcare, and government could face compliance violations and reputational damage if exploited. The remote exploitability and lack of user interaction make this vulnerability particularly dangerous, as attackers can automate attacks at scale. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially once exploit code becomes available.

Until an official patch is released, organizations should implement strict role-based access controls to limit subscriber-level users and monitor for suspicious account changes. Custom code or plugins can be deployed to enforce identity verification before allowing email address updates. Administrators should audit user accounts regularly for unauthorized changes and enable multi-factor authentication (MFA) to reduce the risk of account takeover. Network-level protections such as web application firewalls (WAFs) can be configured to detect and block anomalous requests targeting the plugin’s update functions. Organizations should subscribe to vendor and security mailing lists to receive timely patch notifications. After patch availability, immediate updating of the Service Finder Bookings plugin is critical. Additionally, reviewing password reset workflows to ensure they cannot be abused via email changes is recommended. Backup and incident response plans should be updated to quickly recover from potential compromises.