Over the past two months, threat actors have weaponized a critical authentication bypass flaw in the Service Finder Bookings WordPress plugin, enabling them to hijack any account on compromised sites.
First disclosed on July 31, 2025, the vulnerability emerged after a bug bounty submission revealed that the plugin’s servicefinderswitchback function failed to validate a user-switch cookie before elevating privileges.
Attackers quickly reverse-engineered the weakness, triggering mass exploitation campaigns that began on August 1 and intensified throughout September.
During this period, the Wordfence Firewall blocked more than 13,800 exploit attempts across thousands of sites running affected versions.
In its initial probing phase, adversaries sent specially crafted HTTP requests that included a malicious originaluserid cookie, bypassing authentication entirely.
Wordfence analysts noted the sudden uptick in abnormal switchback requests within hours of public disclosure, prompting the rapid deployment of a firewall rule for all Wordfence Premium, Care, and Response customers.
CVE IDAffected PluginVersions AffectedPatched VersionCVSS 3.1 ScoreAttack VectorCVE-2025-5947Service Finder Bookings≤ 6.06.19.8Authentication Bypass
Sites using the free version received protection after a 30-day delay, leaving many installations exposed until mid-July.
The impact of successful exploitation is catastrophic: an unauthenticated actor gains complete administrator privileges, allowing installation of backdoors, data exfiltration, or site defacement.
With over 6,000 active installs of the vulnerable plugin, the threat landscape widened as scanning bots and scripted exploit kits began probing for Service Finder Bookings endpoints.
Infection Mechanism
A closer look at the exploit reveals that attackers target the servicefinderswitchback endpoint by sending a GET request to ?switchback=1 with the Cookie: originaluserid=<target_id>.
The plugin code then invokes:-
if ( isset( $_COOKIE[’originaluserid’] ) ) {
$originaluserid = intval( $_COOKIE[’originaluserid’] );
wp_set_current_user( $originaluserid );
wp_set_auth_cookie( $originaluserid, true );
}
Because neither authentication nor nonce checks are performed, the attacker’s supplied user ID is accepted unconditionally, logging them in as that user—often the site administrator.
This simple yet powerful bypass underscores the importance of rigorous input validation in session-handling routines.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Actively Exploiting WordPress Plugin Vulnerability to Gain Admin Access appeared first on Cyber Security News.
![How therapy helps uncover hidden patterns that shape our lives [PODCAST]](https://i1.wp.com/kevinmd.com/wp-content/uploads/Design-4-scaled.jpg?w=0&resize=0,0&ssl=1 "How therapy helps uncover hidden patterns that shape our lives [PODCAST]")
