A serious security flaw has been discovered in the popular Service Finder WordPress theme, which attackers are actively exploiting to gain unauthorized access to websites. This vulnerability allows threat actors to log in as any user, including administrators, and take complete control of affected sites.
Details of the Vulnerability
The flaw, tracked as CVE-2025-5947 with a CVSS score of 9.8, impacts the Service Finder Bookings plugin, which is bundled with the Service Finder theme. The issue was identified by a security researcher known as Foxyyy.
According to Wordfence researcher István Márton, “This vulnerability enables an unauthenticated attacker to log into any account on a site, including administrator accounts.”
At its core, the problem arises from insufficient validation of user cookies before performing login operations through the function service_finder_switch_back(). Because of this flaw, attackers can bypass authentication and escalate privileges, effectively taking over the entire site.
Impact and Exploitation
The vulnerability allows unauthenticated attackers to impersonate legitimate users or administrators. Once inside, they can inject malicious scripts, redirect users to phishing sites, or even host malware on compromised websites.
All versions of the Service Finder theme up to and including version 6.0 are affected. The developers released a patch (version 6.1) on July 17, 2025, to fix the issue. According to Envato Market, the theme has been purchased by more than 6,100 customers, highlighting the widespread risk.
Ongoing Attacks
Wordfence reports that exploitation attempts against CVE-2025-5947 began on August 1, 2025, and have exceeded 13,800 attack attempts so far. The actual success rate of these attacks remains unknown.
The following IP addresses have been linked to exploitation attempts targeting the vulnerable plugin’s account switching function:
- 5.189.221.98
- 185.109.21.157
- 192.121.16.196
- 194.68.32.71
- 178.125.204.198
Mitigation Steps
Website administrators using the Service Finder theme are strongly advised to:
- Update the theme and its bundled plugins to version 6.1 or later.
- Review logs and audit recent login activity.
- Check for unexpected redirects, injected scripts, or unfamiliar admin accounts.
- Enable two-factor authentication (2FA) to strengthen site security.
