A critical vulnerability has been identified in the Service Finder Bookings plugin for WordPress, assigned CVE-2025-5947 with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to bypass security checks and gain full administrative privileges over an affected website. Successful exploitation could lead to a complete site compromise, resulting in data theft, reputational damage, and the use of the website for malicious activities.

The vulnerability is an authentication bypass that leads to privilege escalation. The plugin fails to properly validate user permissions or authentication status for a critical function. An unauthenticated remote attacker can exploit this by sending a specially crafted request to a specific plugin endpoint, tricking the application into granting them administrative-level privileges without requiring a valid username or password. This could allow the attacker to create new administrator accounts, modify site content, or execute arbitrary code within the context of the web server.

This vulnerability is rated as Critical with a CVSS score of 9.8. The business impact of a successful exploit is severe and could result in a complete compromise of the organization's web presence. Potential consequences include the theft of sensitive customer information and user data, financial loss, significant reputational damage, and legal or regulatory penalties. A compromised website could also be used to host malware, launch phishing campaigns against customers, or serve as a pivot point for further attacks into the corporate network.

Immediate Action: Immediately update The Service Finder Bookings plugin for WordPress to the latest patched version recommended by the vendor. After patching, it is crucial to review all user accounts, especially those with administrative privileges, for any unauthorized additions or modifications. Review web server access logs and plugin-specific logs for any signs of exploitation that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring for suspicious activity related to the WordPress installation. Specifically, look for unusual POST requests to plugin-specific endpoints (e.g., admin-ajax.php actions tied to the Service Finder plugin), unexpected creation of new administrator-level user accounts, and unauthorized modifications to plugin files or website content. Monitor for unexpected outbound network traffic from the web server.

Compensating Controls: If immediate patching is not feasible, the risk can be temporarily mitigated by disabling and deactivating the Service Finder Bookings plugin until it can be updated. Alternatively, a Web Application Firewall (WAF) can be configured with specific rules to block malicious requests targeting the vulnerable plugin endpoints.

Public Exploit Available: false

Given the critical severity of this vulnerability, immediate action is required. We strongly recommend prioritizing the deployment of the vendor-supplied patch for The Service Finder Bookings plugin across all affected websites without delay. Although this CVE is not currently listed on the CISA KEV list, its high impact score makes it a prime candidate for future inclusion and a top target for attackers. Treat this vulnerability as an active and immediate threat to your organization.