Critical Authentication Bypass in WordPress Service Finder Bookings Plugin (CVE-2025-5947)
October 16th, 2025
Critical
Our Cyber Threat Intelligence Unit is monitoring the active exploitation of a critical authentication-bypass vulnerability (CVE-2025-5947) in the Service Finder Bookings plugin, bundled with the Service Finder WordPress theme. The vulnerability arises from improper validation of the original_user_id cookie in the service_finder_switch_back() function. An unauthenticated attacker can forge or spoof this cookie to log in as any user, including administrators. To patch the issue, updated version 6.1 was released on July 17, 2025. However, Wordfence telemetry confirms widespread exploitation beginning August 1, 2025, with mass scanning and automated takeover attempts observed shortly after disclosure.
Technical Details
Attack Type: Authentication bypass → full administrative account takeover.
Severity: Critical (CVSS 9.8).
CVE ID: CVE-2025-5947.
Root Cause: Insufficient validation of the original_user_id cookie in the service_finder_switch_back() function.
Mechanism: The plugin performs an account-switch operation based on the attacker-supplied cookie, allowing arbitrary user impersonation without prior authentication.
Affected Versions: Service Finder Bookings plugin ≤ 6.0.
Patched Version: 6.1 (released July 17, 2025).
Impact
Successful exploitation allows complete administrative control of the affected WordPress instance, including the ability to:
Modify or install plugins and themes.
Upload webshells or malware payloads.
Steal user credentials and session tokens.
Deface or redirect website content.
Establish persistence and clear logs to evade detection.
Because the plugin is widely deployed within shared-hosting and multisite environments, mass compromise of unpatched sites remains a credible risk.
Detection Method
Organizations should proactively review web and application logs for indicators of exploitation:
HTTP Requests: Presence of the switch_back parameter or cookies containing original_user_id= values (e.g., original_user_id=1).
Authentication Anomalies: Unexpected administrative logins or user creation events following such requests.
File Integrity: Unauthorized changes to wp-config.php, newly added PHP files under /wp-content/uploads/ or theme directories.
Task Schedules: Unexpected cron entries or new scheduled tasks referencing the plugin.
Network Activity: Requests originating from known attacker IPs (listed in the IOC section).
Deploy WAF signatures or custom correlation rules to flag and block traffic containing these parameters.
Indicators of Compromise
Type | Indicator | Description |
IP Address | 5.189.221.98, 185.109.21.157, 192.121.16.196, 194.68.32.71, 178.125.204.198 | Reported by Wordfence as active exploit sources targeting CVE-2025-5947 |
HTTP parameter | switch_back / original_user_id
| Parameters used in the malicious account-switch requests. |
Recommendations
Update immediately to Service Finder Bookings v6.1 or later.
If patching cannot be applied, disable the plugin until updated.
Enforce WAF rules to block or alert on switch_back / original_user_id patterns.
Audit access and authentication logs for the indicators above.
Check for persistence by hunting for unknown PHP files, new admin accounts, and modified configuration files.
Rotate credentials (admin, FTP, database, API keys) and enforce multi-factor authentication.
Restore from known-good backups if compromise is confirmed.
Conclusion
CVE-2025-5947 presents a serious and ongoing risk to WordPress environments due to its unauthenticated administrator takeover method and active exploitation worldwide. Although patched in July 2025, exploitation remains active. This indicates that exposed versions are still in use and highlights the need for immediate remediation and comprehensive log review. We urge organizations to verify patch deployment, perform targeted log and integrity reviews, and rotate all privileged credentials to defend themselves against this ongoing threat. Any instance that cannot be confidently validated as clean should be treated as compromised and rebuilt from a trusted baseline.