Description
The Service Finder SMS System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not restricting user role selection at the time of registration through the aonesms_fn_savedata_after_signup() function. This makes it possible for unauthenticated attackers to register as an administrator user.
Published: 2025-08-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The Service Finder SMS System plugin for WordPress allows any internet user to register a new account without authentication, and the plugin does not limit the role that can be selected during registration. The flaw in the aonesms_fn_savedata_after_signup() function lets an attacker choose an administrator role, effectively creating a new admin account with full control over the site. This vulnerability is a classic privilege escalation via account takeover covered by CWE‑269, yielding complete compromise of confidentiality, integrity, and availability for the affected WordPress installation.

Affected Systems

All WordPress sites deploying the Service Finder SMS System plugin versions up to and including 2.0.0 are affected. The plugin is distributed by Aone Theme and appears in several WordPress theme marketplaces.

Risk and Exploitability

The CVSS score of 9.8 classifies this flaw as critical, and while the EPSS score of <1% indicates a very low probability of exploitation, the severity is high enough that it could be targeted by adversaries with modest resources. The vulnerability can be exploited by sending an unauthenticated HTTP registration request with a desired role of administrator. The vulnerability is not listed in CISA’s KEV catalog, but its impact justifies immediate attention.

Generated by OpenCVE AI on April 21, 2026 at 19:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Service Finder SMS System plugin to a version newer than 2.0.0 if available.
  • If no upgrade exists, temporarily disable new user registrations or block the /register endpoint until a fix can be applied.
  • Configure the WordPress security settings or use a role‑restriction plugin to prevent untrusted users from selecting high‑privilege roles during signup.

Generated by OpenCVE AI on April 21, 2026 at 19:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23317 The Service Finder SMS System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not restricting user role selection at the time of registration through the aonesms_fn_savedata_after_signup() function. This makes it possible for unauthenticated attackers to register as an administrator user.
History

Mon, 04 Aug 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Aonetheme
Aonetheme service Finder Sms System
Wordpress
Wordpress wordpress
Vendors & Products Aonetheme
Aonetheme service Finder Sms System
Wordpress
Wordpress wordpress

Fri, 01 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 Aug 2025 02:45:00 +0000

Type Values Removed Values Added
Description The Service Finder SMS System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not restricting user role selection at the time of registration through the aonesms_fn_savedata_after_signup() function. This makes it possible for unauthenticated attackers to register as an administrator user.
Title Service Finder SMS System <= 2.0.0 - Unauthenticated Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Aonetheme Service Finder Sms System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:42.864Z

Reserved: 2025-06-09T19:15:04.212Z

Link: CVE-2025-5954

cve-icon Vulnrichment

Updated: 2025-08-01T19:08:09.307Z

cve-icon NVD

Status : Deferred

Published: 2025-08-01T03:15:24.433

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:45:16Z

Weaknesses