The vulnerability identified as CVE-2025-6574 affects the Service Finder Bookings plugin for WordPress, developed by aonetheme. This plugin is widely used for managing service bookings on WordPress sites. The flaw is an authorization bypass caused by improper validation of user identity when updating user details, specifically email addresses. Authenticated attackers with subscriber-level privileges or higher can exploit this weakness to change the email address associated with any user account, including administrators. By altering the email, attackers can trigger password reset mechanisms to gain full control over the targeted accounts. This vulnerability is classified under CWE-639, which involves authorization bypass through user-controlled keys or parameters. The vulnerability is remotely exploitable over the network without requiring user interaction, making it highly accessible to attackers who have any authenticated access. The CVSS v3.1 score of 8.8 indicates a high-severity issue with network attack vector, low attack complexity, privileges required at a low level, no user interaction, and impacts on confidentiality, integrity, and availability. No official patches or exploit code are currently publicly available, but the risk remains significant due to the potential for complete account takeover and subsequent site compromise.

The impact of CVE-2025-6574 is severe for organizations using the Service Finder Bookings plugin. Attackers can escalate privileges from low-level subscriber accounts to administrator accounts, enabling full control over the WordPress site. This can lead to unauthorized data access, modification, or deletion, disruption of services, and potential deployment of further malicious payloads such as backdoors or ransomware. Compromise of administrator accounts also undermines the integrity and availability of the entire website and potentially connected systems. For businesses relying on the plugin for customer bookings, this could result in loss of customer trust, financial damage, and regulatory compliance issues due to data breaches. The vulnerability's ease of exploitation and broad impact on confidentiality, integrity, and availability make it a critical risk for affected organizations worldwide.

1. Immediately update the Service Finder Bookings plugin to version 6.1 or later once a patch is released by the vendor. 2. Until an official patch is available, restrict access to the plugin's user management features to trusted roles only, minimizing subscriber-level access. 3. Implement additional monitoring and alerting for unusual changes to user email addresses and password reset requests. 4. Enforce multi-factor authentication (MFA) for all administrator and privileged accounts to reduce the risk of account takeover. 5. Review and harden WordPress user role assignments to ensure least privilege principles are followed. 6. Regularly audit logs for suspicious activity related to user account modifications. 7. Consider temporarily disabling the plugin if it is not critical to operations or if mitigation is not feasible. 8. Educate users about phishing and social engineering risks that could compound exploitation of this vulnerability.