A critical vulnerability in the Service Finder WordPress theme has triggered a wave of cyberattacks, allowing hackers to bypass authentication and gain administrator-level access to thousands of websites. The flaw, tracked as CVE-2025-5947, has a severity score of 9.8, placing it among the most dangerous types of web vulnerabilities.
Security experts at Wordfence have recorded more than 13,800 exploitation attempts since August 1, revealing that threat actors are actively targeting unpatched versions of the theme. The Service Finder theme, a premium product popular on Envato Market with over 6,000 installations, is widely used by service directory and booking websites. It supports complex features such as customer reservations, invoice generation, and payment processing, making it a valuable target for attackers seeking administrative access.
The vulnerability stems from improper validation of the original_user_id cookie within the service_finder_switch_back() function. This weakness enables attackers to log in as any user, including site administrators, without requiring valid credentials. The issue was originally discovered by security researcher ‘Foxyyy’ through Wordfence’s bug bounty program in early June. The vendor, Aonetheme, patched the flaw in version 6.1, released on July 17, but widespread exploitation began shortly after public disclosure at the end of the month.
Since September 23, Wordfence has observed an average of 1,500 attack attempts per day, indicating sustained interest by malicious actors. The attacks typically use an HTTP GET request to the website’s root path with the (switch_back=1) parameter, allowing the attacker to impersonate a legitimate user session. Most attacks have been traced to five primary IP addresses, including 5.189.221.98, 185.109.21.157, 192.121.16.196, 194.68.32.71, and 178.125.204.198. While these IPs have been blocklisted, attackers frequently rotate addresses, rendering traditional defenses less effective.
According to Wordfence analysts, the absence of obvious indicators does not ensure safety. Once attackers gain administrator privileges, they can delete logs, create new admin accounts, or upload malicious PHP scripts to maintain persistence while concealing evidence of compromise. Administrators are urged to inspect their logs, identify any suspicious user activity, and immediately apply the 6.1 update or disable the Service Finder theme entirely until it’s secured.
This incident serves as a stark reminder of the risks associated with outdated WordPress themes and plugins. Even trusted premium products can become dangerous if left unpatched. With CVE-2025-5947 now being exploited globally, prompt patching and continuous security monitoring are essential to protect site integrity and data.
, gaining admin access. Over 13,800 attacks recorded.){kind=link}