Authentication Bypass in Service Finder Bookings WordPress Plugin
CVE-2025-5947 is a critical authentication bypass / privilege escalation vulnerability in the Service Finder Bookings plugin bundled with the Service Finder WordPress theme. It affects all versions up to and including 6.0. The flaw is caused by improper validation of a user-controlled cookie value before authenticating a session in the account-switching routine service_finder_switch_back(). Specifically, the plugin trusts cookie data associated with the original_user_id account-switching mechanism without sufficiently verifying that the requester is legitimately authorized to switch back into that account. As a result, an unauthenticated attacker can forge the relevant cookie and invoke the switch_back flow to log in as any WordPress user, including an administrator.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains a standalone Python exploit for CVE-2025-5947 affecting the WordPress Service Finder Bookings (sf-booking) plugin. Structure is minimal: one executable Python script, one README with usage and vulnerability background, and a requirements file listing requests/urllib3 dependencies. The main script defines a CVE20255947Exploit class with three core capabilities: (1) target validation by probing /wp-admin/ and /wp-content/plugins/sf-booking/, (2) exploitation by sending a GET request to /wp-admin/admin-ajax.php with action=service_finder_switch_back and a forged original_user_id cookie, and (3) brute-force enumeration of multiple numeric user IDs to identify accounts that can be impersonated. Success is inferred from HTTP 301/302 redirects, a Location header containing /wp-admin/, and a Set-Cookie header containing wordpress_logged_in_. The exploit is a real offensive tool rather than a detector: it actively attempts to obtain an authenticated WordPress session as an arbitrary user, typically admin ID 1. No advanced post-exploitation payload is included; the script focuses solely on authentication bypass via cookie spoofing.
Recent activity
43 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical vulnerability in a WordPress plugin, currently trending as a target for exploitation in recent attacks.
A vulnerability in the Service Finder theme, listed as a trending CVE for the week. No further details provided.
An authentication bypass in the Service Finder WordPress theme’s bundled Bookings plugin (account switching logic) that allows an unauthenticated attacker to impersonate arbitrary users (including admin) by forging a cookie, leading to full site takeover.
A critical authentication bypass vulnerability in the Service Finder WordPress theme that can enable user impersonation and lead to privilege escalation, full control of site content/settings, PHP file uploads, and database exports.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.