Service Finder WordPress Theme Exploit Gives Hackers Admin Access

Hackers are now exploiting a severe vulnerability in the Service Finder WordPress theme. The flaw lets them bypass login screens and get administrator access without credentials.

1. What Is the Vulnerability (CVE 2025 5947) in Service Finder WordPress theme

The bug is tracked as CVE 2025 5947 and has a critical severity score of 9.8
It affects all versions up to 6.0 of Service Finder
The root cause is improper validation of the original_user_id cookie inside the service_finder_switch_back function
Attackers can send a crafted request with switch_back=1 and impersonate any user including admin without ever giving a valid password.

2. Scope and Impact of Service Finder Exploits

Service Finder is a premium theme often used for service directories, booking platforms, and job boards
It supports features like bookings, feedback systems, staff management, invoices, and payment gateways.

Because many sites use it in production, this successful exploit put these sites at risk by granting full control including uploading malicious PHP, creating hidden admin accounts, editing content, or exporting the database

3. Timeline of Discovery and Exploitation in Service Finder WordPress theme

• June 8 2025
Security researcher Foxyyy discovered the flaw and reported it through Wordfence’s bug bounty program

• July 17 2025
Vendor Aonetheme released Service Finder version 6.1 claiming it patched the vulnerability

• End of July 2025
The fix was publicly disclosed and exploitation attacks began almost immediately

• Since August 1 2025
Wordfence has recorded over 13800 exploit attempts targeting vulnerable sites

• Late September
A sharp surge saw more than 1500 daily attacks for at least a week

4. Attack Patterns and IPs to Watch

Most attacks use a simple GET request to the site root adding switch_back=1 to impersonate users
Though many IPs are used, five addresses are responsible for thousands of requests

• 5.189.221.98
• 185.109.21.157
• 192.121.16.196
• 194.68.32.71
• 178.125.204.198

Blocking these may help reduce risk temporarily, but attackers can change IPs at any time

5. How to Protect Your Site Using Service Finder Theme

• Update immediately to Service Finder version 6.1 if you are using version 6.0 or older
• Block known malicious IPs including the five listed above as a short term measure
• Scan your logs for switch_back requests or suspicious admin activity
• Review your admin accounts and look for newly created or unfamiliar users
• Backup your site and database before making changes
• Consider disabling or temporarily removing the theme if you cannot patch immediately
• Monitor your site for signs of compromise even if no suspicious logs are found

Final Thoughts

This active exploit targeting the Service Finder WordPress theme is a sharp reminder that no site is too small or niche to be targeted. Hackers often rely on known vulnerabilities and outdated themes to quietly gain access and take control.

If you’re running WordPress, staying updated is not optional , it’s a core part of keeping your site, your users, and your data safe.

Security isn’t just about installing a plugin and forgetting it. It’s about regularly reviewing your themes, checking your logs, backing up your content, and applying patches the moment they’re released.

Whether you use Service Finder or not, take this as a cue to audit your site today. A few minutes of prevention could save you from hours of recovery later.

Your site’s security is only as strong as its weakest update.