Description
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.
Published: 2025-08-01
Score: 9.8 Critical
EPSS: 61.7% High
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Service Finder Bookings WordPress plugin is vulnerable to a severe authentication bypass that allows an unauthenticated attacker to assume the identity of any user, including administrators. The flaw resides in the service_finder_switch_back() function, which logs users in without properly validating a cookie value. An attacker can craft a malicious cookie to trigger this function, thereby gaining full access to site content, configuration, and data, which undermines confidentiality, integrity, and availability.

Affected Systems

All versions of the Service Finder Bookings plugin provided by aonetheme up to and including 6.0 are affected. Any WordPress site that has installed these versions is vulnerable, and because the plugin is widely used through commercial theme marketplaces many sites worldwide may be impacted.

Risk and Exploitability

The CVSS score of 9.8 classifies this vulnerability as critical, and the EPSS score of 0.617% indicates a very low likelihood of exploitation. The vulnerability is not yet listed in the CISA KEV catalog, but the combination of a high severity rating, public disclosure, and widespread use signals imminent risk. The attack vector is inferred to be a web‑based cookie manipulation; an attacker only needs to set a crafted user_switch_cookie value in a browser or via a simple script to trigger the unauthorized login, making the exploit trivial for anyone with basic web skills. No additional host privileges or complex prerequisites are required beyond access to the target domain’s session handling.

Generated by OpenCVE AI on May 28, 2026 at 15:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any official plugin update that addresses the authentication bypass.
  • If an update is unavailable, disable the User Switch feature in the plugin settings or block the service_finder_switch_back endpoint using a web‑application firewall or .htaccess rule.
  • Clear existing user_switch_cookie cookies from user browsers and remove related session data from the server to prevent accidental exploitation.
  • Implement role‑based access controls and audit log monitoring to detect unauthorized privilege escalation attempts.

Generated by OpenCVE AI on May 28, 2026 at 15:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23319 The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.
History

Thu, 23 Oct 2025 14:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Oct 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 01 Aug 2025 03:30:00 +0000

Type Values Removed Values Added
Description The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.
Title Service Finder Bookings <= 6.0 - Authentication Bypass via User Switch Cookie
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:58.726Z

Reserved: 2025-06-09T18:12:28.543Z

Link: CVE-2025-5947

cve-icon Vulnrichment

Updated: 2025-10-23T13:24:36.769Z

cve-icon NVD

Status : Deferred

Published: 2025-08-01T04:16:21.693

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T15:45:19Z

Weaknesses