CVE-2025-6574 - Vulnerability Details

- Service Finder Bookings < 6.1 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover

Description

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Published: 2025-11-01

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Service Finder Bookings plugin for WordPress allows an authenticated user with subscriber level access or higher to modify any user’s email address. Because the plugin does not verify the identity of the user making the change, a malicious account can change the email of an administrator or other privileged user, trigger a password reset, and take control of that account. This flaw allows an attacker to update any user’s email address and potentially take over their account via password reset. The weakness is an identity validation failure, classified as CWE‑639.

Affected Systems

This issue affects the Service Finder Bookings WordPress plugin from aonetheme for all released versions prior to 6.1. Any WordPress installation using these older plugin versions is susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high potential impact. However, the EPSS score is below 1%, suggesting that exploitation is currently uncommon. The flaw is not listed in the CISA KEV catalog. An attacker must already be authenticated with a subscriber or higher role, then use the plugin’s user‑management interface to modify another user’s email. Once the email is changed, the attacker can initiate a password reset and gain administrative access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

aonetheme

Service Finder Bookings

unaffected

Version	Status	Constraints
`0`	affected	< 6.1

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Service Finder Bookings to version 6.1 or later to apply the vendor’s fix for identity validation
If an upgrade is delayed, restrict the permissions of subscriber roles so that they cannot edit user profiles or email addresses
Immediately reset strong passwords for all administrator accounts and review recovery options to prevent unauthorized resets
Monitor the site’s user‑management logs for anomalous email changes or reset requests

Generated by OpenCVE AI on April 22, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793
https://www.wordfence.com/threat-intel/vulnerabilities/id/264cb002-bf40-4cc2-9c21-cda9bb24f494?source=cve

History

Mon, 03 Nov 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 03 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Sat, 01 Nov 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Title		Service Finder Bookings < 6.1 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Weaknesses		CWE-639
References		https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793 https://www.wordfence.com/threat-intel/vulnerabilities/id/264cb002-bf40-4cc2-9c21-cda9bb24f494?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-01T06:40:36.491Z

Updated: 2026-04-08T16:42:42.084Z

Reserved: 2025-06-24T14:07:03.697Z

Link: CVE-2025-6574

Vulnrichment

Updated: 2025-11-03T13:22:13.222Z

NVD

Status : Deferred

Published: 2025-11-01T07:15:35.727

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6574

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object