Threat actors are exploiting a critical flaw, tracked as CVE-2025-5947, in the Service Finder WordPress theme’s Bookings plugin.Threat actors are exploiting a critical vulnerability, tracked as CVE-2025-5947 (CVSS score 9.8), in the Service Finder WordPress theme’s Bookings plugin.The plugin (versions ≤6.0) has an authentication bypass issue allowing attackers to log in as any user, including admins, due to improper cookie validation.“The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0.” reads the advisory published by Wordfence. “This is due to the plugin not properly validating a user’s cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.”An attacker can exploit this authentication bypass vulnerability to takeover any accounts, including admin ones.The Service Finder WordPress theme’s Bookings plugin is a built-in component designed to let businesses and professionals offer service listings and online booking functionality on their WordPress websites.“This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts with the ‘administrator’ role. The vendor released the patched version on July 17, 2025, and we publicly disclosed this vulnerability on July 31, 2025.” continues the advisory.A researcher who goes online with moniker Foxyyy reported the vulnerability.Wordfence warns that threat actors started exploiting the vulnerability the day after the patch was released, on August 1, 2025. The Wordfence Firewall has already blocked over 13,800 exploit attempts targeting this vulnerability.The analysis of plugin’s code revealed that the service_finder_switch_back() function allows account switching using the original_user_id cookie but lacks authentication checks. This flaw lets attackers spoof cookies to log in as any user, including admins, enabling full site compromise and potential further infection of vulnerable WordPress sites.Wordfence observed five IP addresses targeting the Service Finder Bookings plugin account switching function.“Unfortunately, there are currently no clear or easily identifiable indicators of compromise aside from logged requests containing the ‘switch_back’ parameter. If the attackers manage to log in as an administrator, they can easily clear their tracks.” concludes the company.“We recommend reviewing log files for any requests originating from the following IP addresses:5.189.221.98185.109.21.157192.121.16.196194.68.32.71178.125.204.198The absence of any such log entries does not guarantee that your website has not been compromised. We recommend doing a thorough review if you see any abnormal activity or accounts on your site, and you are running a vulnerable version of the software.”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, plugin)