Cyber Resilience

CVE-2025-5955

High

Published: 19 September 2025

Published
19 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 41.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5955 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-5955, published on 2025-09-19, is an authentication bypass vulnerability in the Service Finder SMS System plugin for WordPress, affecting all versions up to and including 2.0.0. The flaw arises because the plugin does not verify a user's phone number before logging them in, mapped to CWE-288 (Authentication Bypass Using an Alternate Path or Channel). It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to substantial impacts on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this over the network to log in as arbitrary users on vulnerable WordPress installations. The attack requires high complexity but no privileges, user interaction, or scope change, enabling full account takeover for targeted users.

Mitigation details are available in referenced advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/cc4598a7-d5cf-4553-b29a-659fe288ece9?source=cve and the plugin listing on ThemeForest at https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793. Security practitioners should consult these for patch availability or workaround guidance.

EU & UK References

Vulnerability details

The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user's phone number before logging them in. This makes it…

more

possible for unauthenticated attackers to login as arbitrary users.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct authentication bypass in a public-facing WordPress plugin enabling unauthenticated login as arbitrary users, matching T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-10294Shared CWE-288
CVE-2026-3461Shared CWE-288
CVE-2025-67070Shared CWE-288
CVE-2026-42760Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2026-1779Shared CWE-288
CVE-2025-0316Shared CWE-288
CVE-2026-45109Shared CWE-288
CVE-2025-5397Shared CWE-288
CVE-2026-31271Shared CWE-288

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires proper management and verification of authenticators, directly addressing the plugin's failure to verify phone numbers before granting login access.

prevent

Mandates enforcement of approved access authorizations, preventing unauthenticated attackers from bypassing login controls to impersonate arbitrary users.

prevent

Ensures timely identification, reporting, and correction of flaws like this authentication bypass vulnerability in the WordPress plugin.

References