Cyber Resilience

CVE-2025-5947

Critical

Published: 01 August 2025

Published
01 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6170 98.4th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5947 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Vicarius (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to and including 6.0. The flaw arises because the service_finder_switch_back() function fails to properly validate a user's cookie value before logging the user in, allowing unauthorized access. This issue is tracked as CWE-639 and carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers can exploit the vulnerability over the network to log in as any user, including administrators, thereby gaining full control over the affected WordPress site and its data.

Public references from Wordfence and Vicarius provide guidance on detection and mitigation for this issue in the Service Finder theme ecosystem. The EPSS score stands at 0.6170 with no indicated change from a lower baseline.

EU & UK References

Vulnerability details

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them…

more

in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Auth bypass in public-facing WordPress plugin directly enables remote exploitation (T1190) and unauthorized privilege escalation to admin accounts (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-10497Shared CWE-639
CVE-2026-2414Shared CWE-639
CVE-2026-25147Shared CWE-639
CVE-2020-37094Shared CWE-639
CVE-2024-34520Shared CWE-639
CVE-2025-14996Shared CWE-639
CVE-2025-69274Shared CWE-639
CVE-2026-25497Shared CWE-639
CVE-2025-15018Shared CWE-639
CVE-2026-1619Shared CWE-639

Affected Assets

Vicarius
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-controlled inputs like cookie values before processing them for authentication, directly preventing the bypass exploited in CVE-2025-5947.

prevent

Mandates secure management and verification of authenticators, including cookies used by the service_finder_switch_back() function to log in users.

prevent

Enforces approved access authorizations in accordance with policy, blocking privilege escalation from unauthenticated cookie manipulation.

References