Service Finder WordPress theme active auth bypass exploitation wave (CVE-2025-5947)
Exploitation Wave
Summary
Hide ▲
Show ▼
CVE-2025-5947 is being exploited at scale against the Service Finder WordPress theme, with attackers using an authentication bypass to log in as administrators and take over affected sites. Wordfence saw more than 13,800 attempts since August 1, including a surge of over 1,500 per day for about a week starting September 23. The flaw affects Service Finder versions 6.0 and older, and the vendor fixed it in version 6.1. The wave matters because successful abuse gives attackers full WordPress control, including account creation, PHP uploads, and database export.
Related Happenings
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
Burst Statistics authentication bypass (CVE-2026-8181)
Vulnerability
First: 15.05.2026 00:07
Last: 15.05.2026 00:07
Sources 1
About this happening:
**Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...
Burst Statistics authentication bypass (CVE-2026-8181)
VulnerabilityAbout this happening: **Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...
Breeze Cache unauthenticated file-upload flaw (CVE-2026-3844)
Vulnerability
First: 24.04.2026 00:33
Last: 24.04.2026 00:33
Sources 1
About this happening:
Active exploitation of **CVE-2026-3844** in the **Breeze Cache** WordPress plugin puts sites running versions up to **2.4.4** at risk of **unauthenticated arbitrary file upload**,...
Breeze Cache unauthenticated file-upload flaw (CVE-2026-3844)
VulnerabilityAbout this happening: Active exploitation of **CVE-2026-3844** in the **Breeze Cache** WordPress plugin puts sites running versions up to **2.4.4** at risk of **unauthenticated arbitrary file upload**,...
TP-Link router authenticated command injection (CVE-2023-33538)
Vulnerability
First: 20.04.2026 10:50
Last: 20.04.2026 10:50
Sources 1
About this happening:
**CVE-2023-33538** in **discontinued TP-Link routers** is still being probed, leaving exposed devices at risk of **arbitrary command execution** and **denial of service** if attac...
TP-Link router authenticated command injection (CVE-2023-33538)
VulnerabilityAbout this happening: **CVE-2023-33538** in **discontinued TP-Link routers** is still being probed, leaving exposed devices at risk of **arbitrary command execution** and **denial of service** if attac...
Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation Wave
First: 16.04.2026 01:35
Last: 16.04.2026 01:35
Sources 1
About this happening:
**CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...
Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation WaveAbout this happening: **CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...
Timeline
-
08.10.2025 18:57 3 articles · 7mo ago
Wordfence reports active exploitation and switch_back IOCs
Detection Ioc UpdateWordfence reports active exploitation of CVE-2025-5947 against the Service Finder WordPress theme, with more than 13,800 exploit attempts since August 1 and a surge of more than 1,500 attack attempts every day for about a week since September 23. Typical attacks use an HTTP GET request to the root path with `switch_back=1`, and the only clear indicator of compromise is a request containing the `switch_back` parameter.
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
- Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder Theme — thehackernews.com — 09.10.2025 09:57
-
17.07.2025 03:00 1 articles · 10mo ago
Aonetheme releases Service Finder 6.1 fixing CVE-2025-5947
Mitigation Patch UpdateAonetheme releases Service Finder version 6.1 on July 17 to address the security issue affecting Service Finder versions 6.0 and older, closing the authentication-bypass weakness in `service_finder_switch_back()`.
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57
-
08.06.2025 03:00 1 articles · 11mo ago
Foxyyy reports CVE-2025-5947 through Wordfence
Initial DisclosureSecurity researcher 'Foxyyy' reports CVE-2025-5947 through Wordfence's bug bounty program on June 8, identifying an authentication-bypass flaw in Service Finder that can let an attacker log in as an administrator.
Show sources
- Hackers exploit auth bypass in Service Finder WordPress theme — www.bleepingcomputer.com — 08.10.2025 18:57