📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢
🚀 Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!
📁 The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion.
On June 8th, 2025, we received a submission through our Bug Bounty Program for an Authentication Bypass vulnerability in Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. This theme has been sold to approximately 6,000 customers. This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts with the ‘administrator’ role. The vendor released the patched version on July 17, 2025, and we publicly disclosed this vulnerability on July 31, 2025. Our records indicate that attackers started exploiting the issue the next day on August 1, 2025. The Wordfence Firewall has already blocked over 13,800 exploit attempts targeting this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 13, 2025. Sites using the free version of Wordfence received the same protection after the standard 30-day delay on July 13, 2025.
We urge users to ensure their sites are updated with the latest patched version of Service Finder Bookings, version 6.1 at the time of this writing, as soon as possible, as this vulnerability is under active exploitation.
Vulnerability Summary from Wordfence Intelligence
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user’s cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.
Vulnerability Details
Examining the code reveals that the plugin uses the service_finder_switch_back() function to handle account switching, switching back to the original user.
function service_finder_switch_back() {
if (isset($_COOKIE['original_user_id'])) {
$original_user_id = intval($_COOKIE['original_user_id']);
if (get_userdata($original_user_id)) {
// Switch back to the original user
wp_set_current_user($original_user_id);
wp_set_auth_cookie($original_user_id);
Unfortunately, this functionality was insecurely implemented as it does not include any authentication or authorization checks.
This makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin. As always, this makes it easy for threat actors to completely compromise a vulnerable WordPress site and further infect the victim.
A Closer Look at the Attack Data
The following data highlights actual exploit attempts from threat actors targeting this vulnerability.
Example attack request
GET /?switch_back=1 HTTP/1.1 Cookie: original_user_id=1; Host: [redacted]
Wordfence Firewall
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.
The Wordfence firewall rule detects the malicious cookie value and blocks the request.
Total Number of Exploit Attempts Blocked
The Wordfence Firewall has blocked over 13,800 exploit attempts since the vulnerability was publicly disclosed.
According to our data, attackers started targeting websites the day after the vulnerability was disclosed, on August 1st. We also detected and blocked a large number of exploit attempts from September 22nd to 29th.
Top Offending IP Addresses
The following IP Addresses are currently the most actively engaged IP addresses targeting the Service Finder Bookings plugin account switching function:
- 5.189.221.98
- Over 2700 blocked requests.
- 185.109.21.157
- Over 2600 blocked requests.
- 192.121.16.196
- Over 2600 blocked requests.
- 194.68.32.71
- Over 2300 blocked requests.
- 178.125.204.198
- Over 1400 blocked requests.
Indicators of Compromise
Unfortunately, there are currently no clear or easily identifiable indicators of compromise aside from logged requests containing the ‘switch_back’ parameter. If the attackers manage to log in as an administrator, they can easily clear their tracks.
We recommend reviewing log files for any requests originating from the following IP addresses:
- 5.189.221.98
- 185.109.21.157
- 192.121.16.196
- 194.68.32.71
- 178.125.204.198
The absence of any such log entries does not guarantee that your website has not been compromised. We recommend doing a thorough review if you see any abnormal activity or accounts on your site, and you are running a vulnerable version of the software.
Conclusion
In today’s article, we covered the attack data for a critical-severity vulnerability in the Service Finder Bookings plugin that allows unauthenticated attackers to bypass authentication and gain access to the accounts of users. Our threat intelligence indicates that attackers may have started actively targeting this vulnerability as early as August 1, 2025 with mass exploitation starting on September 22, 2025. The Wordfence firewall has already blocked over 13,800 exploit attempts targeting this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 13, 2025. Sites using the free version of Wordfence received the same protection after the standard 30-day delay on July 13, 2025.
Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to at least version 6.1 in order to maintain normal functionality. If you have friends or colleagues using Service Finder Bookings, be sure to forward this advisory to them, as thousands of sites could still be unprotected and unpatched.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
The post Attackers Actively Exploiting Critical Vulnerability in Service Finder Bookings Plugin appeared first on Wordfence.
