CVE-2025-5947

CVSS v3.1

9.8

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Service Finder Bookings plugin for WordPress versions prior to 6.1

Description The Service Finder Bookings plugin for WordPress has a flaw that allows unauthenticated attackers to escalate privileges and gain administrative access. This is due to improper validation of a user's cookie value before login through the

service finder switch back()

function. Over 13,800 attack attempts have been recorded since August, with over 1,500 daily attacks observed since late September. Attackers can log in as any user, including administrators, without authentication.

Recommendations Update to Service Finder Bookings version 6.1 to mitigate the risk.

Fix

LPE

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2025-5947

Affected Products

Service Finder Bookings

CVE-2025-5947

Weakness Enumeration

Related Identifiers

Affected Products

References · 32