CVE-2025-5947

Name of the Vulnerable Software and Affected Versions Service Finder Bookings plugin for WordPress versions up to and including 6.0

Description The Service Finder Bookings plugin for WordPress is susceptible to a privilege escalation issue due to an authentication bypass. This occurs because the plugin does not properly validate a user's cookie value before granting access through the service finder switch back() function. This allows unauthenticated attackers to log in as any user, including administrators. Over 13,800 exploit attempts have been recorded since August, indicating active exploitation of this issue. The vulnerability allows attackers to bypass authentication and gain unauthorized access to any account, including administrator accounts, potentially leading to the seizure of control, injection of malicious code, redirection to phishing pages, or hosting of malware.

Recommendations Update to Service Finder Bookings version 6.1 to address this vulnerability.