A high-severity vulnerability has been discovered in the Service Finder Bookings plugin for WordPress, identified as CVE-2025-6574. This flaw allows an attacker to take over user accounts, including those with administrative privileges, without authentication. Successful exploitation could grant an attacker full control over the affected website, leading to data theft, website defacement, or further malicious activities.

The vulnerability exists within the user account management functions of the Service Finder Bookings plugin. It is a privilege escalation flaw that enables an unauthenticated attacker to illegitimately take over any existing user account. The likely attack vector involves manipulating specific requests sent to the plugin, bypassing standard authentication and authorization checks, to reset or change another user's password or email address, thereby locking out the legitimate user and granting the attacker full access to the account.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit could have severe consequences for the business, granting an attacker administrative-level control over the WordPress site. This could lead to the theft of sensitive company or customer data, website defacement causing significant reputational damage, deployment of malware to attack site visitors, and complete disruption of online business operations. The compromise of an administrative account effectively hands over a critical digital asset to a malicious actor, posing direct financial, operational, and reputational risks.

Immediate Action: All administrators of WordPress sites using the Service Finder Bookings plugin must immediately update it to version 6 or newer. After updating, review all user accounts, particularly those with administrative privileges, for any signs of unauthorized changes. If the plugin is no longer required for business operations, it should be deactivated and uninstalled to reduce the overall attack surface.

Proactive Monitoring: Monitor web server and application logs for suspicious activity targeting the plugin's endpoints, especially functions related to user profile updates or password resets. Security teams should look for unusual login patterns (e.g., logins from new IP addresses or geolocations for administrator accounts), unexpected changes to user account details (email, password), and the creation of new, unauthorized administrative users.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Deploy a Web Application Firewall (WAF) with virtual patching rules designed to block exploit attempts against this specific vulnerability.
• Enforce mandatory Multi-Factor Authentication (MFA) for all WordPress users, especially administrators, to make account takeover significantly more difficult.
• Restrict access to the WordPress administration panel (/wp-admin) to trusted IP addresses only.
• Temporarily disable the vulnerable plugin until a patch can be applied.

Public Exploit Available: false

Given the high CVSS score of 8.8, this vulnerability presents a significant and immediate risk to the organization. We strongly recommend that all teams responsible for WordPress websites prioritize the immediate patching of the Service Finder Bookings plugin to the latest secure version. Although this vulnerability is not currently listed on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion and a high-value target for attackers. Immediate remediation is the most effective strategy to prevent a potential compromise.