dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder Theme

info@thehackernews.com (The Hacker News)
October 9, 2025
Threat actors are actively exploiting a critical security flaw impacting the Service Finder WordPress theme that makes it possible to gain unauthorized access to any account, including administrators, and take control of susceptible sites. The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS score: 9.8), affects the Service Finder Bookings, a WordPress plugin bundled with the
Total
0
Shares
0
0
0
[[{“value”:”

Bypass Authentication in WordPress

Threat actors are actively exploiting a critical security flaw impacting the Service Finder WordPress theme that makes it possible to gain unauthorized access to any account, including administrators, and take control of susceptible sites.

The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS score: 9.8), affects the Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. It was discovered by a researcher who goes by the name Foxyyy.

“This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site, including accounts with the ‘administrator’ role,” Wordfence researcher István Márton said.

The problem, at its core, is a case of privilege escalation stemming from authentication bypass due to the plugin not adequately validating a user’s cookie value before logging them in through an account switching function (service_finder_switch_back()).

As a result, an unauthenticated attacker could take advantage of this behavior to sign in to the site as any user, including administrators, effectively hijacking the site and using it for nefarious purposes, such as inserting malicious code to redirect users to fake sites or use it to host malware.

CIS Build Kits

The shortcoming affects all versions of the theme prior to and including 6.0. It was addressed by the plugin maintainers on July 17, 2025, with the release of version 6.1. The theme has been sold to more than 6,100 customers, per data from Envato Market.

The WordPress security company said it has observed exploitation activity targeting CVE-2025-5947 since August 1, 2025, with over 13,800 attempts detected to date. However, the success rate of these efforts is currently not clear.

The following IP addresses have been observed targeting the Service Finder Bookings plugin account switching function –

  • 5.189.221.98
  • 185.109.21.157
  • 192.121.16.196
  • 194.68.32.71
  • 178.125.204.198

Administrators are recommended to audit their sites for any signs of suspicious activity and ensure all the plugins and themes are running the latest version.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

China-linked hackers target Asian organizations with Nezha monitoring tool

October 8, 2025
Next Post

From Phishing to Malware: AI Becomes Russia’s New Cyber Weapon in War on Ukraine

October 9, 2025
Related Posts
2 min

Cybersecurity Predictions 2026: The Hype We Can Ignore (And the Risks We Can’t)

As organizations plan for 2026, cybersecurity predictions are everywhere. Yet many strategies are still shaped by headlines and speculation rather than evidence. The real challenge isn’t a lack of forecasts—it’s identifying which predictions reflect real, emerging risks and which can safely be ignored. An upcoming webinar hosted by Bitdefender aims to cut through the noise with a data-driven
info@thehackernews.com (The Hacker News)
January 9, 2026
Read More
3 min

n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens

Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers' OAuth credentials. One such package, named "n8n-nodes-hfgjf-irtuinvcm-lasdqewriit," mimics a Google Ads integration, and prompts users to link their advertising account in a seemingly legitimate form and then
info@thehackernews.com (The Hacker News)
January 12, 2026
Read More
1 min

CISA Flags Actively Exploited Digiever NVR Vulnerability Allowing Remote Code Execution

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2023-52163 (CVSS score: 8.8), relates to a case of command injection that allows post-authentication remote code
info@thehackernews.com (The Hacker News)
December 25, 2025
Read More