Security researchers are reporting ongoing attacks against WordPress sites via a serious vulnerability in the Service Finder Bookings plugin, allowing unauthenticated attackers to gain administrative access. The flaw is actively exploited and has been assigned the identifier CVE-2025-5947.
The Service Finder Bookings plugin is distributed alongside the premium Service Finder theme, which is used to turn WordPress sites into directories or job-listing marketplaces (for e.g. connecting service providers and clients). In versions prior to 6.1, the plugin includes an “account switching” mechanism that is insecurely implemented.
The vulnerability stems from inadequate validation of cookie values when calling the service_finder_switch_back() function. In effect, an attacker can supply an original_user_id cookie with the user identifier of any account (including administrators), and the plugin’s logic will accept it, set WordPress authentication cookies, and log the attacker in as that user. Because of this, the exploit enables privilege escalation without needing prior authentication. The severity score has been rated 9.8 / Critical under CVSS 3.x scales.
The vulnerability is sometimes described as an authentication bypass via user switch cookie or authorization bypass (IDOR / cookie tampering).
Attack activity and timeline
Evidence suggests that the vulnerability has been actively exploited in the wild. Wordfence reports that numerous exploit attempts have been blocked against sites running the vulnerable plugin version. According to Patchstack’s writeup, there is an earlier but related vulnerability designated CVE-2025-23970, affecting versions up to 6.0, which similarly allows privilege escalation. The current advisory urges that no patch is yet available for that vulnerability in some versions, and sites should remove the plugin if they cannot update.
Security sources confirmed to Hostvix that version 6.1 is the version in which the issue is addressed. As of now, sites running versions below 6.1 remain at risk.
Recommendations for site owners
Site administrators using the Service Finder theme or plugin are strongly advised to verify their version of the plugin. If it is older than 6.1, the plugin should be updated immediately to a patched release (if available). In cases where updating is not feasible, disabling or removing the plugin is recommended to reduce exposure. It is also prudent to review access logs for suspicious attempts involving query parameters such as switch_back or cookies referencing user IDs, and to audit user accounts for unauthorized changes.
Ongoing monitoring and deployment of web application firewalls (WAFs) or security plugins may help block exploit attempts, but these should not be viewed as substitutes for applying the proper patch.
