—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Authentication Bypass Vulnerability in Service Finder Bookings plugin for WordPress 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

WordPress Plugin Service Finder Bookings – versions prior to 6.1

Overview

A vulnerability has been reported in Service Finder Bookings plugin for WordPress which could allow an unauthenticated attacker to bypass authentication on the targeted system.

Target Audience:

Users of affected WordPress Plugins.

Risk Assessment:

High risk of unauthorised access.

Impact Assessment:

Potential for complete account compromise.

Description

Service Finder Bookings is a WordPress plugin that enables service booking, staff management, invoicing, and payment processing for businesses and service providers.

The vulnerability exists in the Service Finder Bookings plugin for WordPress due to improper validation of user cookie values before authenticating sessions. It allows unauthenticated attackers to log in as any user, including administrators.

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to bypass authentication on the targeted system.

Solution

Apply appropriate updates as mentioned:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sf-booking/service-finder-bookings-60-authentication-bypass-via-user-switch-cookie

Vendor Information

Service Finder

https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793?srsltid=AfmBOoqxpaIOhyEBFYo8Yrcv5WWUhbLavVBQJWAaPGTDpzffpc7jLDRt

References

WordFence

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sf-booking/service-finder-bookings-60-authentication-bypass-via-user-switch-cookie

CVE Name

CVE-2025-5947

– – – —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmj6Rp8ACgkQ3jCgcSdc

ys9atg//VX9Nm3ERmkG61gFH+840XN1O8PEY1zE93ZRW3O9NkCkYJ5TqKR/bQ7Ut

zma8imoK7dGRAMhTZewmOgJxQcoFfeJIq8kfqBaWG+5zrsn9DNk4kPD/WXDVvU12

qt1wcNLnnClOt3bgA0Ohh7J59ZSPci3Ij7vhf1/ik7Wr4fVZynswlpUxEtEpFV3F

Lb/3QJkDHAGrNPqLRDRPjYARCEDSGOgQcUXMdlDqZ6uUp+nUkZGkEN8FLtjXOzTq

u+sHjuhBN+zeu9fOMpuWCGMBlPtgtIayI/Cc8XZbew1iYD3jvNkGUEM/i/OnKokI

UFX1GkQYg8yf6wyS2lvxcuWc+ub65ZRpUC6IiOo9DvRZJzbHbNIE9R4peTUQMBpu

yPFXrT0LfTt+bUNvsXJG6WNrjzt4fofxiq7DM0RXBelHVemhbgfjlJLxkdu99MRI

qOKKhIVaQKp2E3n0zwaT+FuYy4Fw8r4Vp+KlDKjwrPb3nqWctiT/rKRcPkF+5ULw

B7vznbkZihuIPN/7ZC6HJX9RSlLurULBDSEVASYzLei3KTJOezcMZ82rLd8V4hQk

rQOq2qNgMW0+HL6AyQ+9X4W8S6YXLnnOahTsLeQ4tTHF/gpmJ5MWNWH7aWIe+wiE

+SalXvaQmdA83u03JLEd1id6OwxSjOL0GUdxqrkCZbkx1jSSVK4=

=ZAMM

—–END PGP SIGNATURE—–