WordPress Service Finder Plugin Exploit Hits 13,800 Sites

Attackers are actively exploiting a vulnerability in the Service Finder Bookings WordPress plugin to hijack administrator accounts without authentication. Since public disclosure, security researchers have blocked more than 13,800 exploitation attempts targeting approximately 6,000 WordPress sites using the vulnerable plugin.

The flaw, tracked as CVE-2025-5947, exists in all versions of Service Finder Bookings through 6.0. The plugin provides appointment scheduling for service businesses and integrates with the Service Finder theme—a commercial WordPress theme with thousands of active installations.

How the Attack Works

The vulnerability exists in the _service_finder_switch_back() function, which handles user session switching. The function failed to properly validate or authenticate cookie values before establishing user sessions.

Attackers exploit this by manipulating the original_user_id cookie in their HTTP requests. When they send a GET request with the switch_back parameter and a spoofed cookie containing an administrator's user ID, the plugin dutifully logs them in as that administrator. No password required. No authentication checks. Just cookie manipulation.

The attack sequence is trivial:

1. Send GET request to target site with switch_back parameter
2. Include original_user_id cookie set to administrator account ID (typically "1")
3. Receive authenticated administrator session

Once attackers have admin access, they can install backdoor plugins, inject malicious JavaScript, create additional admin accounts for persistence, or redirect visitors to phishing pages. The escalation from vulnerability to complete site compromise takes seconds.

Active Exploitation Underway

Security researchers identified five IP addresses conducting the majority of attacks:

• Primary attack sources have been added to major threat intelligence blocklists
• Attack volume increased sharply following public vulnerability disclosure
• Automated scanning suggests attackers are enumerating all accessible Service Finder installations

The 13,800 blocked attempts represent only attacks caught by monitoring services. Actual exploitation attempts are likely higher, particularly against sites without web application firewalls or security plugins.

Remediation Steps

Site administrators running Service Finder Bookings should:

1. Update immediately to version 6.1 or later, which patches CVE-2025-5947
2. Audit administrator accounts for any unauthorized additions
3. Review plugin installations for backdoors or unknown plugins
4. Check theme files for injected JavaScript or modified PHP
5. Enable automatic updates for plugins and WordPress core

For sites that cannot immediately update, implementing a web application firewall rule to block requests containing the switch_back parameter provides temporary mitigation. This breaks legitimate session switching functionality but prevents exploitation.

WordPress Plugin Security Pattern

CVE-2025-5947 follows a familiar pattern in WordPress security: third-party plugins that implement custom authentication or session handling without following security best practices. We saw a similar admin takeover vulnerability in Modular DS just last week. The core WordPress authentication system includes protections against session manipulation, but plugins that bypass these systems often reintroduce vulnerabilities.

Service businesses using Service Finder trusted the plugin to handle sensitive operations—appointment scheduling often involves payment processing and customer data. A complete admin takeover exposes not just the WordPress installation but all business data the site contains.

Organizations running WordPress sites should audit their plugin inventory for authentication-related functionality. Plugins handling sessions, user switching, impersonation, or custom login flows deserve extra scrutiny. The OWASP guidelines for WordPress security provide a framework for identifying high-risk plugin patterns.

Indicators of Compromise

Monitor access logs for suspicious patterns:

• GET requests containing switch_back parameter
• Requests with original_user_id cookie values that don't match the authenticated user
• New administrator accounts created without corresponding user registration records
• Plugin installations with recent modification timestamps that don't match legitimate admin activity

Sites confirming compromise should consider full reinstallation rather than attempting cleanup. Attackers with admin access can plant persistence mechanisms that survive plugin updates and password changes.