Critical WordPress Plugin Vulnerability Allows Admin Account Takeover  

A critical vulnerability has been discovered and actively exploited in the Service Finder Bookings plugin used by the Service Finder WordPress theme. 

The flaw CVE-2025-5947, allows unauthenticated attackers to gain administrative access to affected WordPress sites. 

This exploit highlights the ongoing risks of insecure plugin design and the importance of prompt patching across the WordPress ecosystem.

How the vulnerability works

The vulnerability stems from an authentication bypass flaw affecting all plugin versions up to and including version 6.0. 

The plugin’s service_finder_switch_back() function was designed to allow legitimate users to switch accounts using the original_user_id cookie. 

However, the function failed to properly validate or authenticate the cookie value before setting the session. As a result, attackers could manipulate the cookie to log in as any user, including administrators, effectively bypassing authentication controls.

This design flaw exposes affected websites to complete takeover, allowing attackers to alter content, install malware, or steal sensitive data.

The issue was reported to the vendor in June 2025, through the Wordfence Bug Bounty program. A patch was issued in mid-July and threat actors are actively exploiting this vulnerability in the wild.

Attack patterns

According to Wordfence telemetry, the company’s firewall has blocked over 13,800 exploit attempts since the vulnerability was made public. 

Attackers primarily target websites using HTTP GET requests containing the switch_back parameter and spoofed cookies (e.g., original_user_id=1) to assume administrator privileges.

Five IP addresses have been identified as the top sources of attack traffic, collectively responsible for thousands of exploit attempts:

• 5.189.221.98  
• 185.109.21.157  
• 192.121.16.196  
• 194.68.32.71  
• 178.125.204.198  

Unfortunately, indicators of compromise (IoCs) are limited. The only reliable sign of exploitation may be log entries containing the switch_back parameter. 

However, once attackers gain administrative access, they can erase evidence of intrusion, complicating post-incident investigations.

Scope of the vulnerability

The Service Finder theme, bundled with the vulnerable plugin, is used by approximately 6,000 websites. 

Because the flaw enables unauthenticated remote access to administrative accounts, even a small percentage of unpatched sites represents a significant threat vector for mass exploitation and potential malware campaigns.

Successful exploitation grants attackers full administrative control, enabling them to install backdoors, exfiltrate user data, inject malicious scripts, or pivot laterally to other infrastructure. 

As with many WordPress-targeted attacks, compromised websites may also be leveraged for SEO spam, phishing pages, or botnet activity.

Reducing risk through proactive defense

Organizations can reduce the risk of similar exploits by adopting a proactive, layered security strategy.

• Update and patch regularly:  Keep WordPress core, plugins, and themes updated. Remove unused components, enable auto-updates, and ensure patched versions (e.g., 6.1+) are installed.
• Strengthen access controls:  Limit admin privileges, require MFA for all privileged users, and disable unnecessary account-switching or file-editing features.
• Monitor and log continuously:  Use centralized logging to track logins and changes, set alerts for anomalies, and employ file integrity monitoring for quick threat detection.
• Harden the environment:  Restrict file permissions, enforce HTTPS with secure headers, and isolate WordPress instances to reduce exploit impact.
• Build security and recovery resilience:  Schedule tested backups, maintain an incident response plan, train admins on security best practices, and deploy layered defenses like web-application firewalls (WAFs) and threat intelligence.

By implementing these measures, organizations can build a resilient security posture.

This incident underscores a persistent issue within the WordPress ecosystem: insecure plugin functionality that prioritizes convenience over security. 

Developers must follow secure coding standards, especially when dealing with authentication mechanisms and user sessions. In this case, the lack of basic cookie validation created a direct path to privilege escalation.

Attackers are looking to use AI to automate exploits, reducing defenders’ response time from weeks to just days or hours.