CVE-2025-6574

Name of the Vulnerable Software and Affected Versions Service Finder Bookings plugin for WordPress versions prior to 6.1

Description The Service Finder Bookings plugin for WordPress is susceptible to privilege escalation, potentially leading to account takeover. This occurs because the plugin does not adequately verify a user’s identity before allowing updates to user details, such as their email address. Authenticated attackers with subscriber-level access or higher can modify the email addresses of any user, including administrators. This allows attackers to initiate password resets and gain unauthorized access to accounts.

Recommendations Versions prior to 6.1 should be updated to version 6.1 or later to address this issue.