Critical WordPress plugin flaw lets hackers takeover any site instantly. Zero-click attack underway. Patch to 6.1 now or get hacked.

Continue reading
A critical authentication bypass vulnerability (CVE-2025-5947) has been identified in the Service Finder Bookings WordPress plugin, rated with a CVSS score of 9.8. Active exploitation campaigns have been observed since August 2025, enabling unauthenticated attackers to compromise any user account, including administrative privileges, leading to complete site takeover.
| Parameter | Details |
|---|---|
| CVE Identifier | CVE-2025-5947 (Primary), CVE-2025-5948 (Secondary) |
| CVSS Score | 9.8 (Critical) |
| Vulnerability Type | Authentication Bypass |
| Attack Vector | Network (Unauthenticated) |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
Vulnerable Function: `service_finder_switch_back()` Root Cause: Improper validation of user-supplied cookie parameters Technical Mechanism: ```php // Vulnerable code pattern (simplified) function service_finder_switch_back() { $user_id = $_COOKIE['switch_user_id']; // No proper validation wp_set_current_user($user_id); // Direct privilege assignment } ``` Impact: Allows unauthenticated attackers to specify any user ID and assume that identity.
Vulnerable Endpoint: `claim_business` AJAX action Root Cause: Missing authorization checks Impact: Enables account takeover through business claim functionality.
| Impact Area | Severity | Description |
|---|---|---|
| Privilege Escalation | Critical | Unauthenticated attackers can become any user |
| Administrative Compromise | Critical | Full WordPress admin access achievable |
| Data Confidentiality | High | Access to all user data, including potential PII |
| Data Integrity | Critical | Modify/delete any content or user data |

CRITICAL ACTIONS (0-24 HOURS)
PRIORITY ACTIONS (24-72 HOURS)
# WordPress CLI command to update plugin
wp plugin update service-finder-bookings
# Alternative: Disable plugin
wp plugin deactivate service-finder-bookings| IP Address | First Seen | ASN | Country | Threat Score |
|---|---|---|---|---|
| 5.189.221.98 | August 2025 | 51167 | Romania | High |
| 185.109.21.157 | August 2025 | 210644 | Russia | High |
| 192.121.16.196 | September 2025 | 51167 | Romania | High |
| 194.68.32.71 | September 2025 | 197351 |
# Suspicious request patterns to monitor
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" security
# Detection rules for exploitation attempts
RewriteCond %{QUERY_STRING} "action=service_finder_switch_back" [NC]
RewriteCond %{QUERY_STRING} "user_id=[0-9]+" [NC]
RewriteRule .* - [F,L]-- Check for suspicious user privilege changes
SELECT * FROM wp_users
WHERE user_registered > '2025-08-01'
AND user_level = 10;
-- Review user meta for role changes
SELECT * FROM wp_usermeta
WHERE meta_key = 'wp_capabilities'
AND meta_value LIKE '%administrator%';
Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.
| High |
| Complete site takeover and defacement possible |
| Ukraine |
| Medium |
| 178.125.204.198 | October 2025 | 51548 | Ukraine | Medium |