CVE-2025-5954
📋 TL;DR
The Service Finder SMS System WordPress plugin allows unauthenticated attackers to register administrator accounts due to improper user role validation. This affects all WordPress sites using this plugin up to version 2.0.0. Attackers can gain full administrative control of vulnerable WordPress installations.
💻 Affected Systems
- Service Finder SMS System WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover with administrative privileges, allowing data theft, malware injection, defacement, and backdoor installation.
Likely Case
Attackers create admin accounts to install malicious plugins/themes, steal sensitive data, or redirect traffic.
If Mitigated
Limited impact if plugin is disabled or proper access controls prevent registration.
🎯 Exploit Status
Simple HTTP POST request to registration endpoint with administrator role parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793
Restart Required: No
Instructions:
1. Immediately disable and remove the Service Finder SMS System plugin. 2. Check for unauthorized administrator accounts. 3. Monitor for suspicious activity.
🔧 Temporary Workarounds
Disable Plugin
allDeactivate and delete the vulnerable plugin from WordPress admin panel
wp plugin deactivate service-finder-sms-system
wp plugin delete service-finder-sms-system
Block Registration Endpoint
linuxUse web application firewall or .htaccess to block access to plugin registration functionality
# Add to .htaccess: RewriteRule ^wp-content/plugins/service-finder-sms-system.* - [F,L]
🧯 If You Can't Patch
- Disable user registration completely in WordPress settings
- Implement IP-based restrictions on admin registration endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins for 'Service Finder SMS System' plugin version 2.0.0 or earlierCheck Version:
wp plugin list --name=service-finder-sms-system --field=versionVerify Fix Applied:
Confirm plugin is removed and no unauthorized administrator accounts exist📡 Detection & Monitoring
Log Indicators:
- Unusual user registration events
- New administrator account creation
- POST requests to plugin registration endpoints
Network Indicators:
- HTTP POST to /wp-content/plugins/service-finder-sms-system/* with role parameters
SIEM Query:
source="wordpress" AND (event="user_registration" OR event="role_change") AND new_role="administrator"