Critical Exploit Allows Hackers to Bypass Security Measures Easily

Hackers are exploiting a critical vulnerability in the Service Finder WordPress theme, identified as CVE-2025-5947, to gain unauthorized access to any account, including admin accounts, and potentially take over websites. This flaw, discovered by researcher Foxyyy, has a high severity score of 9.8 and affects the Service Finder Bookings plugin bundled with the theme. The vulnerability arises from inadequate cookie validation in the service_finder_switch_back() function, allowing attackers to log in as any user without proper authentication.

The issue impacts all versions of the theme up to 6.0, with a patch released in version 6.1 on July 17, 2025. The theme has been purchased by over 6,100 users on Envato Market. Since August 1, 2025, there have been over 13,800 attempts to exploit this vulnerability, although the success rate of these attempts remains unknown.

Administrators are advised to inspect their websites for any anomalies and ensure all plugins and themes are updated to the latest versions to mitigate the risk of exploitation.

Stay secure — stay Wavasec. 🔐