CVE-2025-5947
Published: 01 August 2025
Summary
CVE-2025-5947 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Vicarius (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to and including 6.0. The flaw arises because the service_finder_switch_back() function fails to properly validate a user's cookie value before logging the user in, allowing unauthorized access. This issue is tracked as CWE-639 and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers can exploit the vulnerability over the network to log in as any user, including administrators, thereby gaining full control over the affected WordPress site and its data.
Public references from Wordfence and Vicarius provide guidance on detection and mitigation for this issue in the Service Finder theme ecosystem. The EPSS score stands at 0.6170 with no indicated change from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23319
Vulnerability details
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them…
more
in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing WordPress plugin directly enables remote exploitation (T1190) and unauthorized privilege escalation to admin accounts (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-controlled inputs like cookie values before processing them for authentication, directly preventing the bypass exploited in CVE-2025-5947.
Mandates secure management and verification of authenticators, including cookies used by the service_finder_switch_back() function to log in users.
Enforces approved access authorizations in accordance with policy, blocking privilege escalation from unauthenticated cookie manipulation.