Skip to main content
CVE Vulnerability Database

CVE-2025-6574: Service Finder Bookings Privilege Escalation

CVE-2025-6574 is a privilege escalation vulnerability in the Service Finder Bookings WordPress plugin that allows attackers to take over administrator accounts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-6574 Overview

CVE-2025-6574 is a privilege escalation vulnerability in the Service Finder Bookings plugin for WordPress, affecting all versions up to and excluding 6.1. The plugin fails to validate a user's identity before updating account details such as email addresses. Authenticated attackers with subscriber-level access or higher can change any user's email, including administrators, then trigger a password reset to seize the account. The flaw is classified under CWE-639: Authorization Bypass Through User-Controlled Key.

Critical Impact

A subscriber-level account is sufficient to take over a WordPress administrator account, granting full control of the affected site.

Affected Products

  • Service Finder Bookings plugin for WordPress (all versions < 6.1)
  • Service Finder WordPress theme distributions bundling the vulnerable plugin
  • WordPress sites with authenticated user registration enabled and the plugin active

Discovery Timeline

  • 2025-11-01 - CVE-2025-6574 published to the National Vulnerability Database
  • 2026-04-15 - Last updated in the NVD database

Technical Details for CVE-2025-6574

Vulnerability Analysis

The Service Finder Bookings plugin exposes an authenticated endpoint that updates user profile fields, including the account email address. The endpoint accepts a user identifier supplied by the requester and applies the email change without confirming that the requester owns the target account. This is a classic Insecure Direct Object Reference (IDOR) pattern combined with missing authorization checks.

Once an attacker changes an administrator's email to one they control, they invoke the standard WordPress password-reset workflow. WordPress dispatches the reset link to the attacker-controlled inbox, and the attacker completes the reset to assume the administrator identity. The vulnerability requires only network access and low privileges, and no user interaction is needed beyond authenticating as a subscriber.

Root Cause

The root cause is improper authorization enforcement on the profile-update handler. The plugin treats the user-supplied account identifier as authoritative rather than deriving the target user from the authenticated session. Without an ownership check or capability check, the handler grants any authenticated caller write access to arbitrary user records.

Attack Vector

An attacker registers or compromises a subscriber-level WordPress account on the target site. They send a crafted request to the plugin's account-update endpoint, specifying the administrator's user ID and a new email address under their control. After the email is replaced, they request a password reset for the administrator account through the standard WordPress login page. The reset email arrives at the attacker's inbox, enabling full account takeover.

No verified public exploit code is available at the time of writing. Technical details are documented in the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-6574

Indicators of Compromise

  • Unexpected changes to the user_email field for administrator or editor accounts in the wp_users table.
  • WordPress password-reset emails sent to administrator accounts that were not initiated by the legitimate owner.
  • New administrator logins from previously unseen IP addresses or user agents shortly after a password-reset event.
  • Subscriber-level accounts issuing POST requests to Service Finder Bookings AJAX or REST endpoints associated with profile updates.

Detection Strategies

  • Audit wp_users and wp_usermeta change history for email modifications applied to privileged accounts.
  • Inspect web server access logs for authenticated requests targeting Service Finder Bookings update endpoints originating from low-privilege sessions.
  • Correlate email-change events with subsequent password-reset requests and successful administrator logins within short time windows.
  • Deploy a WordPress activity log plugin to capture user profile modifications with the acting user and target user recorded.

Monitoring Recommendations

  • Alert on any modification to administrator email addresses and require out-of-band verification.
  • Forward WordPress audit logs to a centralized SIEM or data lake for cross-event correlation.
  • Monitor for spikes in subscriber registrations followed by privilege-tier user record changes.
  • Track outbound mail server logs for password-reset messages directed to external or disposable email domains.

How to Mitigate CVE-2025-6574

Immediate Actions Required

  • Update the Service Finder Bookings plugin to version 6.1 or later on all WordPress installations.
  • Review every administrator and editor account for unauthorized email changes and restore legitimate values.
  • Force a password reset for all privileged accounts and invalidate active sessions.
  • Temporarily disable open user registration if the plugin cannot be updated immediately.

Patch Information

The vendor addressed the issue in Service Finder Bookings version 6.1. The fix introduces proper identity validation before applying profile updates. Refer to the Wordfence Vulnerability Report and the ThemeForest Service Finder listing for download and update instructions.

Workarounds

  • Deactivate the Service Finder Bookings plugin until the upgrade to version 6.1 can be applied.
  • Restrict access to the plugin's AJAX and REST endpoints with a web application firewall rule that requires administrator capabilities.
  • Enable two-factor authentication on all administrator accounts to blunt password-reset abuse.
  • Disable self-service user registration (Settings → General → Membership) to prevent attackers from acquiring subscriber accounts.
bash
# Example WP-CLI commands to harden an affected site
wp plugin update service-finder-bookings --version=6.1
wp option update users_can_register 0
wp user list --role=administrator --fields=ID,user_login,user_email

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.