A critical security flaw has been discovered in the popular Service Finder WordPress theme, allowing hackers to bypass authentication and gain full access to any account, including administrator accounts.
The vulnerability, tracked as CVE-2025-5947 with a CVSS score of 9.8, affects the Service Finder Bookings plugin bundled with the theme. The flaw was discovered by a researcher known as Foxyyy.
According to Wordfence researcher István Márton, the issue allows unauthenticated attackers to log in as any user, including administrators, without needing valid credentials.
The vulnerability stems from a weakness in the plugin’s account switching function (service_finder_switch_back()). The plugin does not properly validate the user’s cookie value before logging them in. This lack of validation allows attackers to manipulate cookies and gain unauthorized access.
Once exploited, the attacker can completely take over the affected website. They can insert malicious scripts, redirect visitors to phishing sites, or use the compromised site to distribute malware.
The theme is quite popular and has been sold to more than 6,100 customers on Envato Market. All versions of the Service Finder theme up to and including 6.0 are vulnerable. The issue was fixed in version 6.1, which was released on July 17, 2025.
Wordfence has confirmed that the vulnerability has been actively exploited since August 1, 2025, with more than 13,800 attack attempts detected so far. The success rate of these attacks is not yet known.
The following IP addresses have been observed targeting the vulnerability:
- 5.189.221.98
- 185.109.21.157
- 192.121.16.196
- 194.68.32.71
- 178.125.204.198
If you are using the Service Finder theme, you should immediately update to version 6.1 or later. Website administrators are also advised to review their site logs, check for suspicious user accounts, and scan their websites for malicious code.
Keeping themes and plugins up to date is essential to protect WordPress sites from such attacks. If you want to learn WordPress, you should visit TheWPGuides.
