CVE-2025-2470

Name of the Vulnerable Software and Affected Versions Service Finder Bookings plugin for WordPress versions up to and including 5.1

Description The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation due to a lack of restriction on user role in the nsl registration store extra input function. This allows unauthenticated attackers to register an account on the site with an arbitrary role, including Administrator, when registering via a social login. The Nextend Social Login plugin must be installed and configured to exploit this issue.

Recommendations For versions up to and including 5.1, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the nsl registration store extra input function until a patch is available. Restrict access to social login features to minimize the risk of exploitation. Avoid using social login for registration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.