Active exploitation of authentication bypass in Service Finder WordPress theme

First reported

08.10.2025 18:57

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Threat actors are actively exploiting a critical vulnerability in the Service Finder WordPress theme, allowing them to bypass authentication and gain administrative access. The flaw, tracked as CVE-2025-5947, affects versions 6.0 and older and has been exploited since September 2025. The vulnerability enables attackers to log in as any user, including administrators, without authentication. Over 13,800 exploitation attempts have been recorded since August 2025, with a surge of over 1,500 attempts daily in late September. Administrators are advised to update to version 6.1 or stop using the theme to mitigate the risk.

Timeline

08.10.2025 18:57 1 articles · 2h ago

Active exploitation of CVE-2025-5947 in Service Finder WordPress theme
Threat actors began exploiting a critical vulnerability in the Service Finder WordPress theme in September 2025. The flaw, tracked as CVE-2025-5947, allows attackers to bypass authentication and gain administrative access. Over 13,800 exploitation attempts have been recorded since August 2025, with a surge of over 1,500 attempts daily in late September. The vulnerability affects versions 6.0 and older and was discovered by a security researcher in June 2025. The vendor released a fix in July 2025, but exploitation began shortly after public disclosure. Administrators are advised to update to version 6.1 or stop using the theme to mitigate the risk.
Show sources

Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
Open in new tab

Information Snippets

The vulnerability allows attackers to bypass authentication and log in as administrators.
First reported: 08.10.2025 18:57

1 source, 1 article
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
CVE-2025-5947 affects Service Finder versions 6.0 and older.
First reported: 08.10.2025 18:57

1 source, 1 article
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
The flaw stems from improper validation of the original_user_id cookie in the service_finder_switch_back() function.
First reported: 08.10.2025 18:57

1 source, 1 article
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
Over 13,800 exploitation attempts have been recorded since August 1, 2025.
First reported: 08.10.2025 18:57

1 source, 1 article
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
A surge of over 1,500 attack attempts daily was observed from September 23, 2025.
First reported: 08.10.2025 18:57

1 source, 1 article
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
The vulnerability was discovered by security researcher 'Foxyyy' and reported on June 8, 2025.
First reported: 08.10.2025 18:57

1 source, 1 article
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
The vendor, Aonetheme, released a fix in version 6.1 on July 17, 2025.
First reported: 08.10.2025 18:57

1 source, 1 article
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
The issue was publicly disclosed at the end of July 2025, with exploitation beginning the next day.
First reported: 08.10.2025 18:57

1 source, 1 article
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
Attackers use HTTP GET requests with the query parameter switch_back=1 to impersonate users.
First reported: 08.10.2025 18:57

1 source, 1 article
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
Several IP addresses have been identified as sources of the attacks, but attackers can switch to new ones.
First reported: 08.10.2025 18:57

1 source, 1 article
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
Administrators should review logs for suspicious activity and update to version 6.1 or stop using the theme.
First reported: 08.10.2025 18:57

1 source, 1 article
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57

Summary

Timeline

Active exploitation of CVE-2025-5947 in Service Finder WordPress theme

Information Snippets