A critical vulnerability has been identified in the Service Finder SMS System plugin for WordPress, assigned CVE-2025-5954 with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to take over any user account on a website using the vulnerable plugin, including administrator accounts. Successful exploitation can lead to a complete compromise of the affected website, resulting in data theft, malicious content distribution, and significant reputational damage.

The vulnerability exists due to a lack of proper authorization checks on a function within the plugin responsible for handling user account details. An unauthenticated attacker can manipulate this function to link a new phone number to an arbitrary user account, including an administrator's. By doing so, the attacker can then initiate a password reset or utilize an SMS-based login feature to gain complete control over the victim's account, effectively leading to a full account takeover and privilege escalation.

This vulnerability is of critical severity with a CVSS score of 9.8. Exploitation could have a severe and direct impact on business operations. An attacker gaining administrative access could lead to a complete compromise of the WordPress site, resulting in the theft of sensitive business and customer data (PII), defacement of the website, financial loss, and significant reputational harm. The compromised website could also be leveraged to host phishing campaigns or malware, posing a further risk to customers and the organization's brand integrity.

Immediate Action: Immediately update the Service Finder SMS System plugin for WordPress to the latest patched version provided by the vendor. After updating, verify that the patch has been successfully applied and the site is functioning correctly.

Proactive Monitoring: Actively monitor for signs of compromise. Review web server and application access logs for unusual or repeated requests to plugin-specific endpoints, particularly those related to user profile updates or password resets. Scrutinize administrative account activity for unexpected logins, changes to user email addresses or phone numbers, or unauthorized content modifications.

Compensating Controls: If immediate patching is not feasible, disable the Service Finder SMS System plugin until it can be updated. If the plugin is business-critical and cannot be disabled, consider implementing a Web Application Firewall (WAF) rule to block access to the specific vulnerable function. Additionally, restrict access to the WordPress administrative dashboard (/wp-admin) to trusted IP addresses only.

Public Exploit Available: False

Due to the critical severity (CVSS 9.8) of this vulnerability, we recommend immediate and urgent action. The risk of complete website compromise is extremely high. Organizations must prioritize applying the vendor-supplied patch across all affected WordPress instances without delay. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. Treat this vulnerability as an active threat and apply remediation immediately to prevent potential compromise.