A critical vulnerability identified as CVE-2025-5947 has been discovered in the Service Finder Bookings plugin for WordPress, potentially allowing attackers to escalate privileges and gain unauthorized access to admin accounts. This flaw, which affects all versions up to and including 6.0, has been assigned a CVSS score of 9.8, underscoring its severity.
The vulnerability arises from improper validation of user cookie values in the `service_finder_switch_back()` function. This oversight enables attackers to bypass authentication mechanisms, effectively granting them admin-level access without proper credentials. The flaw is categorized under CWE-639, which pertains to improper authorization.
Given the critical nature of this vulnerability, the Exploit Prediction Scoring System (EPSS) has rated it at 0.462, indicating a moderate likelihood of exploitation in the wild. The Stakeholder-Specific Vulnerability Categorization (SSVC) advises immediate attention to this issue, reflecting the potential risk it poses to affected systems.
Administrators using the Service Finder Bookings plugin are urged to verify their systems and apply any available patches or mitigations promptly. As of now, there is no indication of an official patch release, making it imperative for users to monitor updates from the plugin developers closely.
In the interim, users should consider implementing additional security measures, such as enhanced monitoring of login activities and restricting access to the admin panel to trusted IP addresses, to mitigate potential exploitation risks.
CSURFACE