Threat actors are actively exploiting a critical vulnerability in the Service Finder WordPress theme that allows them to bypass authentication and log in as administrators, security firm Wordfence said. Administrator access in WordPress grants full control over site content and settings and can be used to create accounts, upload PHP files and export databases.
Service Finder is a premium theme commonly used for service directories and job boards, offering booking, feedback, time slot and staff management, invoice generation and payments. The theme has more 6,000 sales on Envato Market, and is typically deployed on active sites that handle customer bookings.
The flaw is tracked as CVE-2025-5947 with a critical severity score of 9.8 and affects Service Finder versions 6.0 and older, the report said. The issue stems from improper validation of the original_user_id cookie in the service_finder_switch_back() function and can let an attacker log in as any user, including administrators. The vulnerability was reported by researcher ‘Foxyyy’ through Wordfence’s bug bounty program on June 8; vendor Aonetheme released a fix in version 6.1 on July 17, and public disclosure and active exploitation followed at the end of the month.
Wordfence recorded more than 13,800 exploitation attempts since August 1 and observed a surge of more than 1,500 attack attempts per day for about a week beginning Sept. 23. Based on the researchers’ analysis, a typical attack is an HTTP GET request to the site root including a query parameter (switch_back=1) to impersonate an existing user. The firm said several IP addresses were used to launch attacks, with thousands of requests originating from five addresses: 5.189.221.98, 185.109.21.157, 192.121.16.196, 194.68.32.71 and 178.125.204.198.
The researchers suggested blocklisting the identified IPs as a short-term defensive measure but warned attackers can change addresses. Site administrators were advised to apply the patch from Aonetheme as soon as possible or stop using the theme, and to review logs for suspicious activity or accounts created for persistence. Wordfence cautioned that the absence of log entries does not guarantee a site has not been compromised because an attacker with administrator access could delete evidence.