CVE-2025-5948
Published: 19 September 2025
Summary
CVE-2025-5948 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on the claim_business AJAX action to validate user identity and prevent unauthorized business claims leading to account takeover.
Validates inputs such as claim_id in the AJAX action to ensure they are bound to the authenticated user, blocking authorization bypass via user-controlled keys and brute-forcing.
Limits privileges of compromised accounts to the minimum necessary, reducing the impact of privilege escalation even if account takeover occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of public-facing WordPress plugin for account takeover and privilege escalation to admin.
NVD Description
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's identity prior to claiming a business…
more
when using the claim_business AJAX action. This makes it possible for unauthenticated attackers to login as any user including admins. Please note that subscriber privileges or brute-forcing are needed when completing the business takeover. The claim_id is needed to takeover the admin account, but brute-forcing is a practical approach to obtaining valid IDs.
Deeper analysisAI
CVE-2025-5948 is a privilege escalation vulnerability via account takeover in the Service Finder Bookings plugin for WordPress, affecting all versions up to and including 6.0. The issue arises because the plugin fails to properly validate a user's identity prior to claiming a business through the claim_business AJAX action. Published on 2025-09-19, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-639 (Authorization Bypass Through User-Controlled Key).
Unauthenticated attackers can exploit this flaw to log in as any user, including administrators. Completing the business takeover requires subscriber privileges or brute-forcing valid claim_ids, which the description notes as a practical approach for obtaining the necessary IDs to target admin accounts.
Mitigation details are available in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/7eb018bc-2650-4e0d-8da9-325eac826d45?source=cve and the plugin listing on ThemeForest at https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793.
Details
- CWE(s)