The WordPress Service Finder Bookings plugin has been found to have a critical authentication bypass vulnerability (CVE-2025-5947) that affects all versions before 6.1. Unauthenticated attackers can assume complete control of impacted websites by impersonating administrators due to this vulnerability, which is brought on by inadequate cookie validation. Since it was made public on June 8, 2025, the vulnerability has been actively abused in the wild, endangering over 6,000 installations, especially small businesses and service providers who depend on WordPress for scheduling and payment processing. Widespread exploitation persists despite the July 17, 2025, patch, highlighting the vital necessity for quick updates and security precautions.
Due to incorrect validation of the original_user_id cookie within the service_finder_switch_back() function, the Service Finder WordPress theme (versions < 6.0) is vulnerable to a critical authentication bypass vulnerability (CVSS 9.8) known as CVE-2025-5947. This vulnerability enables unauthenticated attackers to utilize a specially constructed HTTP GET request with the switch_back=1 argument to impersonate any user, including administrators. Attackers can manipulate information, upload PHP files, export databases, and create accounts if they have full administrative capabilities.Since August 1, there have been over 13,800 attempts to exploit the vulnerability, which was found by researcher “Foxyyy” and fixed in version 6.1 released on July 17, 2025. The majority of these attempts have come from five IP addresses. The vulnerability requires no valid credentials and targets EBS versions 12.2.3 to 12.2.14. The public release of an exploit package and associated IoCs has enhanced the possibility of opportunistic scanning and mass exploitation.
Exploitation Demonstration:
Ease of Exploitation:
As it targets an easily identified logic error in cookie handling, requires no authentication or special privileges, and can be probed with simple HTTP requests, CVE-2025-5947 is extremely easy to exploit. These conditions allow automated scanners and low-skill actors to find and attack vulnerable sites at scale. Site operators should assume immediate risk until patches (v6.1) are applied and compensating controls (WAF, IP blocklists, log monitoring) are in place because the vulnerability was fast weaponized and resulted in thousands of automated attempts from a small number of IPs and sustained daily attack volumes, which together mean exploitation is low-effort, high-velocity.
Conclusion:
The critical, actively exploited authentication bypass known as CVE-2025-5947 puts thousands of Service Finder sites at risk and has to be fixed right away: If the site ran a vulnerable version, assume compromise, apply the vendor patch (Service Finder v6.1) or remove/disable the component immediately, rotate credentials and keys, implement compensating controls (WAF rules, targeted IP blocklists, enhanced monitoring and alerting), and conduct a forensic review of accounts and logs, restoring from known-clean backups where required. Since attackers with administrator access have the ability to remove traces, prompt action and careful validation are crucial. Treat this occurrence as a high priority, notify stakeholders and customers as needed, and keep the evidence for inquiry.
By taking advantage of CVE-2025-5947, attackers can gain unauthenticated administrator access and complete control on impacted Service Finder sites (≤ v6.0). Random content and configuration changes, the establishment of backdoors or persistent admin accounts, PHP uploads and remote code execution, database export/data theft, manipulation of payments and reservations, and the capacity to remove forensic evidence are among the repercussions. The vulnerability poses an urgent and serious operational, financial, and reputational risk to site owners and their clients, with a CVSS of 9.8, over 6,000 deployed sites at risk, and about 13,800 documented exploitation attempts (with daily spikes exceeding 1,500).
