{"id":76141,"date":"2025-09-25T15:17:39","date_gmt":"2025-09-25T15:17:39","guid":{"rendered":""},"modified":"2025-11-02T15:07:59","modified_gmt":"2025-11-02T21:07:59","slug":"cve-2025-5948-privilege-escalation-vulnerability-in-service-finder-bookings-plugin-for-wordpress","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-5948-privilege-escalation-vulnerability-in-service-finder-bookings-plugin-for-wordpress\/","title":{"rendered":"<strong>CVE-2025-5948: Privilege Escalation Vulnerability in Service Finder Bookings Plugin for WordPress<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>The CVE-2025-5948 vulnerability is a critical security flaw discovered in the Service Finder Bookings plugin for WordPress. This vulnerability allows for privilege escalation via account takeover, affecting all versions of the plugin up to and including 6.0. The flaw matters significantly as it allows for unauthenticated attackers to potentially login as any user, including admins, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-9253-stack-based-buffer-overflow-on-linksys-wi-fi-range-extenders-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"84218\">potentially leading to system<\/a> compromise or data leakage.<br \/>\nThis vulnerability specifically affects WordPress sites utilizing the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-7775-critical-memory-overflow-vulnerability-in-netscaler-adc-and-gateway-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"83867\">Service Finder Bookings plugin<\/a> and has the potential to impact millions of businesses globally that depend on this platform for their online presence. Given the potential <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-50972-sql-injection-vulnerability-in-abantecart-1-4-2-with-a-high-severity-score\/\"  data-wpil-monitor-id=\"83517\">severity of this vulnerability<\/a>, it&#8217;s crucial for any organization utilizing this plugin to take immediate steps to address this risk.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-5948<br \/>\nSeverity: Critical (9.8 CVSS Score)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: Low (Subscriber privileges)<br \/>\nUser Interaction: None<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-22404-potential-system-compromise-due-to-use-after-free-vulnerability\/\"  data-wpil-monitor-id=\"85573\">System compromise<\/a> or data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-1650366376\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>Service Finder Bookings <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-9990-wordpress-helpdesk-integration-plugin-vulnerable-to-local-file-inclusion\/\"  data-wpil-monitor-id=\"87380\">Plugin for WordPress<\/a> | Up to and including 6.0<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The exploit takes advantage of the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5060-authentication-bypass-vulnerability-in-bravis-user-plugin-for-wordpress\/\"  data-wpil-monitor-id=\"85229\">plugin&#8217;s lack of proper user<\/a> identity validation before claiming a business using the claim_business AJAX action. This lack of validation makes it possible for an <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3498-unauthenticated-user-access-and-modification-of-radiflow-isap-smart-collector-configuration\/\"  data-wpil-monitor-id=\"92251\">unauthenticated attacker to log in as any user<\/a>, including admins.<br \/>\nTo complete the business takeover, the attacker would need subscriber privileges or to brute-force valid IDs. The claim_id is required to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-43930-hashview-0-8-1-account-takeover-via-password-reset-vulnerability\/\"  data-wpil-monitor-id=\"91348\">takeover the admin account<\/a>, but brute-forcing is a practical approach to obtaining valid IDs.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-2875056182\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>An example of exploiting this vulnerability might look like the following pseudocode:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/wp-admin\/admin-ajax.php?action=claim_business HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/x-www-form-urlencoded\n{ &quot;claim_id&quot;: &quot;brute_force or known_valid_id&quot;, &quot;user&quot;: &quot;admin&quot; }<\/code><\/pre>\n<p>In this example, the attacker is sending a POST <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-8592-wordpress-inspiro-theme-vulnerability-to-cross-site-request-forgery-csrf\/\"  data-wpil-monitor-id=\"85403\">request to the vulnerable<\/a> endpoint, using either a brute-forced or known valid claim_id, and attempting to gain access as the &#8216;admin&#8217; user.<\/p>\n<p><strong>Mitigation Guidance<\/strong><\/p>\n<p>Given the potential <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2022-38693-severe-memory-buffer-overflow-vulnerability-in-fdl1\/\"  data-wpil-monitor-id=\"84524\">severity of this vulnerability<\/a>, it&#8217;s recommended to apply the vendor patch as soon as it becomes available. In the meantime, employing a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as temporary mitigation, reducing the risk of a successful exploit.<br \/>\nRemember to always keep your <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5931-dokan-pro-plugin-for-wordpress-privilege-escalation-vulnerability\/\"  data-wpil-monitor-id=\"88869\">WordPress plugins<\/a> up-to-date and monitor your systems for any unusual or suspicious activity. Regular penetration <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-57644-critical-vulnerabilities-within-accela-automation-platform-s-test-script-feature\/\"  data-wpil-monitor-id=\"90118\">testing and vulnerability<\/a> assessments can further help identify and mitigate such vulnerabilities before they are exploited.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview The CVE-2025-5948 vulnerability is a critical security flaw discovered in the Service Finder Bookings plugin for WordPress. This vulnerability allows for privilege escalation via account takeover, affecting all versions of the plugin up to and including 6.0. The flaw matters significantly as it allows for unauthenticated attackers to potentially login as any user, including [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[76],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-76141","post","type-post","status-publish","format-standard","hentry","category-uncategorized","attack_vector-privilege-escalation"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/76141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=76141"}],"version-history":[{"count":12,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/76141\/revisions"}],"predecessor-version":[{"id":85467,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/76141\/revisions\/85467"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=76141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=76141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=76141"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=76141"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=76141"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=76141"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=76141"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=76141"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=76141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}