researchers at Wordfence have issued an urgent warning about an actively exploited authentication bypass in the Service Finder Bookings plugin — a component bundled with the popular Service Finder WordPress theme, used by roughly 6,000 customers worldwide.
The , tracked as CVE-2025-5947, carries a CVSS score of 9.8. According to Wordfence, “an Authentication Bypass vulnerability in Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme… makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts with the ‘administrator’ role.”
The stems from the plugin’s insecure account-switching feature, implemented through the service_finder_switch_back() function. This function allows a user to switch back to a previous account after impersonation — but it fails to verify whether the action is authorized.
As the report explains,
“Unfortunately, this functionality was insecurely implemented as it does not include any authentication or authorization checks. This makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin.”
In practice, attackers can trigger the vulnerability by sending a simple HTTP request to a vulnerable site using a crafted cookie. Wordfence provides an example exploit:
GET /?switch_back=1 HTTP/1.1
Cookie: original_user_id=1;This effectively logs the attacker in as the WordPress administrator (user ID 1) without needing valid credentials — a complete authentication bypass.
Once authenticated, the attacker can install malicious plugins, create new admin accounts, exfiltrate data, or deface the website entirely.
Wordfence notes that the vulnerability was patched on July 17, 2025, and publicly disclosed on July 31, 2025. However, attackers wasted no time exploiting it:
“Our records indicate that attackers started exploiting the issue the next day on August 1, 2025. The Wordfence Firewall has already blocked over 13,800 exploit attempts targeting this vulnerability.”
Exploitation campaigns have remained active through September, with spikes in malicious traffic observed between September 22nd and 29th. The attacks primarily originate from a small cluster of aggressive IPs, including:
- 5.189.221.98 — over 2,700 blocked requests
- 185.109.21.157 — over 2,600 blocked requests
- 192.121.16.196 — over 2,600 blocked requests
- 194.68.32.71 — over 2,300 blocked requests
- 178.125.204.198 — over 1,400 blocked requests
A visual breakdown shared by Wordfence shows these IPs accounting for the majority of exploit attempts detected by its Web Application Firewall (WAF) between August and October.
Unfortunately, there are few obvious indicators of compromise, making detection challenging for site owners. Wordfence warns,
“There are currently no clear or easily identifiable indicators of compromise aside from logged requests containing the ‘switch_back’ parameter. If the attackers manage to log in as an administrator, they can easily clear their tracks.”
Website administrators are urged to review access logs for requests that include the switch_back query parameter, as well as for activity from the IP addresses listed above. Even if such entries are absent, Wordfence cautions that compromise cannot be ruled out.
At the time of reporting, the latest safe version of the plugin is Service Finder Bookings 6.1. Wordfence strongly advises all users to upgrade immediately.
