CVE-2025-5948
📋 TL;DR
The Service Finder Bookings WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to take over any user account, including administrators. This occurs because the plugin doesn't properly verify user identity during business claiming operations. All WordPress sites using this plugin up to version 6.0 are affected.
💻 Affected Systems
- Service Finder Bookings WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise with administrative access, allowing data theft, malware injection, defacement, and full control over the WordPress installation.
Likely Case
Administrative account takeover leading to site defacement, data exfiltration, or installation of backdoors for persistent access.
If Mitigated
Limited impact if proper network segmentation, strong authentication, and monitoring are in place to detect and block exploitation attempts.
🎯 Exploit Status
Attackers need to brute-force claim_id values, but this is practical. Subscriber privileges or brute-forcing are required for complete business takeover.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 6.0
Vendor Advisory: https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793
Restart Required: No
Instructions:
1. Update the Service Finder Bookings plugin to the latest version (above 6.0). 2. Verify the update was successful. 3. Consider changing all user passwords as a precaution.
🔧 Temporary Workarounds
Disable the vulnerable plugin
allTemporarily deactivate the Service Finder Bookings plugin until patched
wp plugin deactivate service-finder-bookings
Block vulnerable AJAX endpoint
linuxUse web application firewall or .htaccess to block access to the claim_business AJAX action
RewriteEngine On
RewriteRule ^wp-admin/admin-ajax\.php\?action=claim_business - [F,L]
🧯 If You Can't Patch
- Implement strong rate limiting and WAF rules to block brute-force attempts
- Enable multi-factor authentication for all administrative accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for Service Finder Bookings plugin version. If version is 6.0 or lower, the site is vulnerable.Check Version:
wp plugin list --name=service-finder-bookings --field=versionVerify Fix Applied:
Verify plugin version is above 6.0 in WordPress admin panel and test that the claim_business AJAX action now properly validates user identity.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful admin login from unusual IP
- Unusual AJAX requests to claim_business action
- User privilege escalation events in WordPress logs
Network Indicators:
- Unusual traffic patterns to /wp-admin/admin-ajax.php with claim_business parameter
- Brute-force patterns against the plugin endpoints
SIEM Query:
source="wordpress.log" AND ("claim_business" OR "admin-ajax.php") AND (status=200 OR user_role_changed)