PT-2025-44707 · WordPress · Service Finder Bookings
Friderika Baranyai
·
Published
2025-11-01
·
Updated
2025-11-20
·
CVE-2025-5949
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Service Finder Bookings plugin for WordPress versions up to and including 6.0
Description
The Service Finder Bookings plugin for WordPress is susceptible to privilege escalation, potentially leading to account takeover. This occurs because the plugin does not adequately verify a user’s identity before processing a password change request. Authenticated attackers with subscriber access or higher can exploit this to reset passwords for other users, including administrators. The vulnerable functionality is related to the
change candidate password function.Recommendations
Versions prior to 6.1 should be updated.
Fix
LPE
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Service Finder Bookings