{"id":59949,"date":"2025-08-07T05:14:51","date_gmt":"2025-08-07T05:14:51","guid":{"rendered":""},"modified":"2025-10-07T14:30:10","modified_gmt":"2025-10-07T20:30:10","slug":"cve-2025-5947-privilege-escalation-vulnerability-in-service-finder-bookings-plugin-for-wordpress","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-5947-privilege-escalation-vulnerability-in-service-finder-bookings-plugin-for-wordpress\/","title":{"rendered":"<strong>CVE-2025-5947: Privilege Escalation Vulnerability in Service Finder Bookings Plugin for WordPress<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>With the increasing usage of WordPress as a leading CMS, the security of its plugins has become a critical concern. One such plugin, the Service Finder Bookings, has recently been found to harbor a serious vulnerability, labeled as CVE-2025-5947. This <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-41666-watchdog-file-replacement-vulnerability-allowing-remote-access-and-control\/\"  data-wpil-monitor-id=\"66719\">vulnerability allows<\/a> an unauthenticated user to bypass authentication and escalate their privileges, posing a significant threat to the security of any WordPress site using the affected plugin versions. The potential implications of this vulnerability are dire, ranging from <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-54378-unauthorized-access-vulnerability-in-hax-cms\/\"  data-wpil-monitor-id=\"68873\">unauthorized system access<\/a> to data breaches, underscoring the need for immediate action to mitigate the risk.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-5947<br \/>\nSeverity: Critical (CVSS score 9.8)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: None<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-31278-memory-corruption-vulnerability-with-potential-system-compromise\/\"  data-wpil-monitor-id=\"70398\">Potential system<\/a> compromise or data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-1796380823\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>Service Finder Bookings <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5835-droip-plugin-for-wordpress-unauthorized-access-and-modification-vulnerability\/\"  data-wpil-monitor-id=\"68962\">Plugin for WordPress<\/a> | Up to and including version 6.0<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The vulnerability resides in the service_finder_switch_back() function of the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5948-privilege-escalation-vulnerability-in-service-finder-bookings-plugin-for-wordpress\/\"  data-wpil-monitor-id=\"90178\">Service Finder Bookings plugin<\/a>. This function is designed to log users in based on the cookie values associated with their session. However, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-25737-critical-vulnerability-in-kapsch-trafficcom-rsus-due-to-lack-of-secure-password-requirements\/\"  data-wpil-monitor-id=\"89241\">due to a lack<\/a> of proper validation checks, an attacker can manipulate these cookie values to impersonate any user, including administrators. This <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-43232-critical-permissions-issue-allowing-app-to-bypass-privacy-preferences-in-macos\/\"  data-wpil-monitor-id=\"69122\">allows them to bypass<\/a> the authentication process entirely and gain unauthorized access to the system.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-3702016132\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>A <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-7457-macos-authorization-model-exploit-leading-to-potential-mitm-attacks\/\"  data-wpil-monitor-id=\"80119\">potential exploit<\/a> could look something like this:<\/p>\n<pre><code class=\"\" data-line=\"\">GET \/wp-admin\/ HTTP\/1.1\nHost: target.example.com\nCookie: service_finder_auth=malicious_cookie_value<\/code><\/pre>\n<p>In this example, the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-9408-server-side-request-forgery-attack-in-eclipse-glassfish\/\"  data-wpil-monitor-id=\"77339\">attacker sends a GET request<\/a> to the admin panel with a manipulated cookie value (`malicious_cookie_value`). If the website is running a <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-52809-php-remote-file-inclusion-vulnerability-in-national-weather-service-alerts\/\"  data-wpil-monitor-id=\"65937\">vulnerable version of the Service<\/a> Finder Booking plugin, the attacker will be logged in as an admin, gaining full control over the system.<\/p>\n<p><strong>Mitigation Guidance<\/strong><\/p>\n<p>Users are advised to apply the vendor patch as soon as it becomes available. Until then, a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) can be used as temporary mitigation measures. These tools can help detect and prevent unauthorized access attempts, providing an additional layer of <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-7096-critical-vulnerability-in-comodo-internet-security-premium-12-3-4-8162\/\"  data-wpil-monitor-id=\"66718\">security against potential exploitation of this vulnerability<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview With the increasing usage of WordPress as a leading CMS, the security of its plugins has become a critical concern. One such plugin, the Service Finder Bookings, has recently been found to harbor a serious vulnerability, labeled as CVE-2025-5947. This vulnerability allows an unauthenticated user to bypass authentication and escalate their privileges, posing a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[75,76],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-59949","post","type-post","status-publish","format-standard","hentry","category-uncategorized","attack_vector-authentication-bypass","attack_vector-privilege-escalation"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/59949","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=59949"}],"version-history":[{"count":10,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/59949\/revisions"}],"predecessor-version":[{"id":83066,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/59949\/revisions\/83066"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=59949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=59949"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=59949"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=59949"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=59949"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=59949"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=59949"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=59949"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=59949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}