The Service Finder Bookings plugin for WordPress allows a user who is authenticated with a subscriber role or higher to maliciously change the password of any other account, including administrators. The vulnerability exists because the plugin does not verify the requester's identity before processing a password change, a classic account takeover flaw (CWE‑639). An attacker who can log in can reset another user’s password, thereby gaining that user’s access and violating both confidentiality and integrity of the site.

WordPress sites that have the Service Finder Bookings plugin installed in any release up to and including version 6.0 are affected. The vulnerability was discovered in the plugin hosted on ThemeForest and affects users who have deployed the plugin on their WordPress sites.

The listing has a CVSS score of 8.8, indicating high severity, and an EPSS score of less than 1 %, suggesting that the probability of exploitation in the wild is currently low. The vulnerability is not yet reported in the CISA KEV catalog. Because the flaw requires only that the attacker be an authenticated user with subscriber privileges, the attack vector is likely an authenticated user interface or API call to change_candidate_password. Exploitation would involve the attacker submitting a request to reset a target account’s password, which the plugin will accept without further validation, effectively allowing the attacker to take full control of the target account.