A critical vulnerability has been identified in the Service Finder Bookings plugin for WordPress, designated CVE-2025-5948. This flaw allows an unauthenticated attacker to take over any user account, including administrator accounts, leading to a full compromise of the affected website. Due to the ease of exploitation and the potential for complete system control, this vulnerability poses a severe risk to organizations using this plugin.

The vulnerability exists because the plugin fails to properly validate user identity during account modification processes. An unauthenticated attacker can craft a specific request to the server that targets a user's account (e.g., by knowing their username or user ID) and change their account details, such as their password or email address. This allows the attacker to trigger a password reset for the new email address, lock the legitimate user out, and gain complete control of the account, escalating their privileges to that of the compromised user.

This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the high potential for significant damage. Successful exploitation could lead to a complete takeover of the organization's WordPress site. The business impact includes, but is not limited to, theft of sensitive customer data and personally identifiable information (PII), financial loss, website defacement, reputational damage, and the potential for the compromised website to be used for hosting malware or launching further attacks.

Immediate Action: Immediately update the Service Finder Bookings plugin for WordPress to the latest version provided by the vendor. Before deploying to production, test the update in a staging environment to ensure compatibility and functionality.

Proactive Monitoring: Review web server and application access logs for any unusual or unauthorized attempts to modify user account information. Specifically, monitor for unexpected password resets, changes to administrator email addresses, or logins from unfamiliar IP addresses. Implement alerts for modifications to critical user accounts.

Compensating Controls: If immediate patching is not feasible, consider the following mitigating actions:

• Implement a Web Application Firewall (WAF) with virtual patching rules to block malicious requests targeting the plugin's vulnerable functions.
• Temporarily disable the Service Finder Bookings plugin until it can be safely updated.
• Enforce Multi-Factor Authentication (MFA) for all WordPress users, especially administrators, to add an extra layer of security against account takeover.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the high risk of a complete website compromise, we strongly recommend that organizations prioritize the remediation of this vulnerability. All instances of the Service Finder Bookings plugin should be updated to the latest patched version without delay. Due to the high likelihood of future exploitation, organizations should treat this as an urgent threat and apply the necessary updates immediately.