A critical Service Finder Bookings authentication bypass vulnerability in the WordPress plugin is under active exploitation, with more than 13,800 attack attempts already blocked. The flaw, tracked as CVE-2025-5947, allows unauthenticated attackers to gain access to any user account, including those with administrator privileges.
Background and Timeline
The vulnerability was first reported through a bug bounty submission on June 8, 2025, affecting all plugin versions up to and including 6.0. A patched version (6.1) was released on July 17, 2025, followed by public disclosure on July 31, 2025. Attackers began exploiting the flaw almost immediately, with the first detected activity on August 1, 2025.
Technical Overview
The issue resides in the plugin’s service_finder_switch_back() function, which handles user account switching. The function fails to properly validate the original_user_id cookie, allowing attackers to impersonate other users.
This design flaw enables unauthenticated attackers to bypass login checks and gain access to privileged accounts. Exploit attempts have been observed using requests similar to:
GET /?switch_back=1 HTTP/1.1
Cookie: original_user_id=1;
Exploitation Activity
According to Wordfence Intelligence data, mass exploitation began in late September 2025, with concentrated waves of attacks between September 22 and 29. The Wordfence Firewall has blocked over 13,800 exploit attempts targeting the vulnerable function.
Top offending IP addresses include:
- 5.189.221.98 (over 2,700 requests)
- 185.109.21.157 (over 2,600 requests)
- 192.121.16.196 (over 2,600 requests)
- 194.68.32.71 (over 2,300 requests)
- 178.125.204.198 (over 1,400 requests)
Indicators of Compromise
There are currently no clear indicators of compromise, but administrators should inspect web server logs for any requests containing the switch_back parameter or originating from the IPs listed above. The absence of such entries does not confirm safety; deeper investigation is recommended if abnormal activity or new user accounts are detected.
Protection and Mitigation
Users of Wordfence Premium, Care, and Response were automatically protected from this vulnerability via a firewall rule released on June 13, 2025. Free Wordfence users received the same protection on July 13, 2025.
All site owners using Service Finder Bookings are urged to:
- Update immediately to version 6.1 or higher.
- Audit recent logins and review logs for suspicious parameters.
- Share this advisory with others using the same plugin to reduce exposure across the ecosystem.
The Service Finder Bookings authentication bypass vulnerability highlights how quickly attackers move after public disclosures, often exploiting sites within hours of release.