A critical security vulnerability has been identified and is being actively exploited in the Service Finder WordPress theme. Tracked as CVE-2025-5947 with a critical severity score of 9.8, the flaw allows unauthenticated attackers to bypass security measures and gain full administrative control of a website. The vulnerability stems from an improper validation of a cookie in the theme’s code, enabling attackers to impersonate any user, including the site administrator, without needing to log in. This level of access grants them the ability to control all content and settings, create new user accounts, upload malicious files, and export the site’s database, giving them total control.
The Service Finder theme, a premium product with over 6,000 sales on Envato Market, is widely used for creating service directory and job board websites. The vulnerability was responsibly disclosed to the theme’s vendor, Aonetheme, by a security researcher in June. Aonetheme released a patched version, 6.1, in July. However, the issue was made public at the end of July, and exploitation began almost immediately. This has put thousands of active sites at risk, as many have yet to apply the security update.
The security firm Wordfence has been monitoring the exploitation attempts and has seen a significant surge in attacks. For one week in September, they recorded more than 1,500 attack attempts every day. The researchers noted that a typical attack involves a simple HTTP request with a specific query parameter to impersonate an existing user. While the attacks are coming from various IP addresses, thousands of requests have originated from a handful of specific addresses, highlighting the concentrated nature of the attacks.
While some IP addresses have been identified and can be blocked, this is only a temporary fix, as attackers can easily switch to new ones. Due to the nature of the exploit, there are few clear indicators of compromise, making it difficult for administrators to detect an attack after the fact. The most reliable sign of an attack is the presence of the “switch_back” parameter in website logs, but an absence of this does not guarantee a site has not been compromised.
Given the active exploitation of this vulnerability, anyone using the Service Finder theme should update to version 6.1 immediately. It is also highly recommended that administrators review their logs for any suspicious activity or new accounts that may have been created for persistence. Wordfence warns that attackers with administrator access can cover their tracks by deleting logs or other evidence, so a lack of visible compromise does not mean a site is safe.
Reference:
