Critical WordPress Flaw CVE-2025-5947 (CVSS 9.8) Under Active Exploitation for Admin Takeover

A critical vulnerability has been discovered in the popular WordPress theme Service Finder, allowing attackers to gain unauthorized access to any account on affected websites — including administrative ones. The issue stems from the integrated Service Finder Bookings plugin, used for managing reservations and bundled directly with the theme. At its core, the flaw enables a bypass of the authentication mechanism, paving the way for complete site takeover and potential abuse of its functionality.

The vulnerability, tracked as CVE-2025-5947, has received a CVSS score of 9.8, indicating critical severity. The root cause lies within the service_finder_switch_back() function, responsible for handling account switching. Due to improper validation of cookie values, attackers could impersonate any user without authentication, leading to privilege escalation — from unauthenticated access to full administrative control of the website.

According to Envato Market, the Service Finder theme has been adopted by more than 6,100 customers, and all versions up to and including 6.0 were vulnerable. The developers resolved the issue on July 17, 2025, releasing version 6.1, in which the function’s logic was restructured and the verification process significantly reinforced.

Since early August, over 13,000 exploitation attempts have been recorded. While the exact number of successful breaches remains undisclosed, confirmed attacks have targeted websites running the vulnerable Service Finder Bookings component. Researchers from Wordfence have identified several IP addresses linked to these attempts, including 5.189.221.98, 185.109.21.157, 192.121.16.196, 194.68.32.71, and 178.125.204.198.

The potential impact on compromised sites is severe. Attackers can inject malicious scripts, redirect visitors to phishing domains, distribute malware, or even repurpose the websites to host fraudulent online services.

Because these attacks can be executed without any prior registration, websites remain exposed until administrators install the latest patched version and thoroughly audit their configurations and content for suspicious modifications.

Security experts strongly urge all site owners using the Service Finder theme to upgrade immediately to version 6.1 and review their activity logs for signs of unauthorized access. In the context of active exploitation, any delay in patching could result in serious damage to both site infrastructure and organizational reputation.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy