A popular WordPress theme has a worrying security flaw which could allow full site takeover - here's what we know

News
By published

WordPress users should install the patch as soon as you can

WordPress logo on mobile
(Image credit: Shutterstock)
  • CVE-2025-5947 allows unauthenticated admin access in Service Finder WordPress theme versions ≤ 6.0
  • Over 13,800 exploit attempts observed since August; attackers actively target vulnerable sites
  • Patching is critical; blocking five known IPs may help but won’t stop future attacks

Websites running the popular Service Finder Bookings WordPress theme are being actively targeted following the discovery of a critical severity vulnerability.

On July 17, Aonetheme released version 6.1 of Service Finder, which included a fix for an authentication bypass flaw that affected all versions up to, and including, 6.0. Since the plugin did not properly validate a user’s cookie value prior to logging them in, it was possible for unauthenticated attackers to log in as any user - including admin.

The vulnerability is tracked as CVE-2025-5947, and was given a severity score of 9.8/10 (critical), since it allowed full website takeover, data exfiltration, malware deployment, and more.

Thousands of attacks

The theme can be purchased on the Envato Market which shows it was acquired more than 6,000 times already. According to BleepingComputer, most sites that buy the theme are actively using it, so the attack surface could be rather large.

In addition, WordPress security company Wordfence says that since August 1, it observed more than 13,800 attempts to exploit this vulnerability, meaning threat actors are well aware of it and are actively hunting for victims. At press time, WordFence said it saw more than 200 attacks in the last 24 hours, alone.

Such a large number would suggest hundreds of attackers, but it seems that the majority of attack requests came from just five IP addresses.

This could make things easier for the defenders, since simply blocking them would be enough to prevent intrusions. However, the attackers could always switch to new ones, so patching the vulnerable product is still the best way to address the rising risk.

Also, those who are worried about being targeted should review their logs for suspicious or otherwise unexpected login activity, or accounts that threat actors may have created to establish persistence.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.