CVE-2025-5954
Published: 01 August 2025
Summary
CVE-2025-5954 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 49.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces least privilege principle to prevent unauthenticated attackers from assigning themselves administrator roles during plugin registration.
Manages account creation and modification processes, requiring restrictions and approvals for role assignments to block unauthorized privilege escalation.
Validates inputs in the aonesms_fn_savedata_after_signup() function to reject invalid or elevated user role selections during registration.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of improper privilege management in public-facing WordPress plugin signup enables account creation with admin rights (T1136.001) and privilege escalation (T1068) via public app exploit (T1190).
NVD Description
The Service Finder SMS System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not restricting user role selection at the time of registration…
more
through the aonesms_fn_savedata_after_signup() function. This makes it possible for unauthenticated attackers to register as an administrator user.
Deeper analysisAI
CVE-2025-5954 is a privilege escalation vulnerability via account takeover affecting the Service Finder SMS System plugin for WordPress in all versions up to and including 2.0.0. The issue stems from the plugin's aonesms_fn_savedata_after_signup() function failing to restrict user role selection during registration, enabling attackers to assign themselves elevated privileges. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By registering a new account through the plugin's signup process, they can select and gain administrator privileges, potentially achieving full control over the WordPress site, including access to sensitive data, modification of content, and execution of arbitrary actions.
Advisories and further details are available from the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/520c1e8b-d0c1-4201-90bf-0cefab9af7e0?source=cve and the plugin's listing on ThemeForest at https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793. Security practitioners should review these sources for patch information and mitigation guidance.
Details
- CWE(s)