Critical flaw in Service Finder WordPress Theme actively exploited

Security researchers at Wordfence are reporting an actively exploited critical authentication bypass vulnerability in the Service Finder Bookings plugin, a component bundled with the widely-used Service Finder WordPress theme. 

The vulnerability is tracked as CVE-2025-5947 (CVSS score 9.8) and is caused by an insecure implementation in the plugin's account-switching functionality, within the service_finder_switch_back() function. This function was designed to allow users to switch back to a previous account after impersonation, but it fails to include any authentication or authorization checks. 

Attackers can trigger the vulnerability by sending a crafted HTTP GET request to the root path of a vulnerable website with a switch_back=1 query parameter and a manipulated cookie containing the desired user ID. For example, by setting the cookie to original_user_id=1, an attacker can instantly log in as the WordPress administrator (typically user ID 1) without requiring any valid credentials. 

 The theme's vendor, Aonetheme, released a patched version 6.1 on July 17, 2025. The security issue was publicly reported on July 31, 2025, and exploitation began almost immediately. 

Since exploitation began, Wordfence has blocked more than 13,800 exploit attempts targeting this vulnerability through their Web Application Firewall. Attack activity surged for approximately one week starting September 22. The attacks are persisting through October.

Website administrators using the Service Finder theme should immediately update to Service Finder Bookings version 6.1 or newer, check access logs specifically for requests containing the switch_back parameter, and examine all user accounts for unauthorized creations or privilege elevations.