A critical vulnerability has been identified in the Service Finder Bookings plugin for WordPress, assigned CVE-2025-5949. This flaw allows an unauthenticated attacker to take over any user account, including administrator accounts, granting them full control over the affected website. Successful exploitation could lead to complete system compromise, data theft, and significant operational disruption.

The vulnerability exists within the plugin's user account management functions. An unauthenticated attacker can exploit this flaw to illicitly modify the details of an existing user account, such as changing the associated email address or resetting the password. By targeting an account with administrative privileges, the attacker can escalate their privileges to the highest level, effectively gaining complete control of the WordPress site.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit would have a severe business impact, leading to a full compromise of the affected WordPress website. An attacker with administrative access could steal sensitive user data, deface the website, install malicious backdoors, distribute malware to visitors, or use the server for further attacks. This can result in significant financial loss, reputational damage, and potential regulatory fines for data breaches.

Immediate Action:

• Immediately update the Service Finder Bookings plugin to the latest version available from the vendor, which addresses this vulnerability.
• If the plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface.
• After updating, perform a security audit of all user accounts, particularly administrator accounts, to check for any unauthorized changes to emails, passwords, or user roles.

Proactive Monitoring:

• Monitor web server access logs for unusual POST requests to user profile update pages or password reset endpoints associated with the plugin.
• Review WordPress audit logs for unexpected user account modifications, such as password changes or email address updates initiated from unknown IP addresses.
• Set up alerts for the creation of new administrative accounts or privilege escalation events for existing accounts.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to block attempts to exploit this vulnerability.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to only trusted IP addresses.
• Temporarily disable the user profile management features of the plugin until a patch can be applied.

Public Exploit Available: false

Given the high severity (CVSS 8.8) of this vulnerability and its potential for complete website compromise, we strongly recommend immediate action. Although this CVE is not currently listed on the CISA KEV list, the impact of a successful attack is critical. All organizations using the Service Finder Bookings plugin must prioritize applying the security update immediately. Following the update, a comprehensive review of all user accounts is essential to ensure no prior compromise has occurred.