Attackers Actively Exploiting Critical Vulnerability in Service Finder Bookings Plugin

SUMMARY :

On June 8th, 2025, we received a submission through our Bug Bounty Program for an Authentication Bypass vulnerability in Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. This theme has been sold to approximately 6,000 customers. This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts with the ‘administrator’ role. The vendor released the patched version on July 17, 2025, and we publicly disclosed this vulnerability on July 31, 2025.

OPENCTI LABELS :

exploit,vulnerability,wordpress,authentication bypass,service finder bookings,service finder,wordfence


AI COMMENTARY :

1. Introduction to the Service Finder Bookings Vulnerability

On June 8th, 2025, a critical authentication bypass vulnerability was reported in the Service Finder Bookings plugin for WordPress. This plugin, bundled with the Service Finder theme, has been deployed on approximately 6,000 sites. The flaw allowed unauthenticated attackers to gain access to any account on a compromised site, including those with administrator privileges. Public disclosure followed on July 31, 2025, after the vendor released a patched version on July 17, 2025.

2. Details of the Authentication Bypass Exploit

The root cause of the vulnerability lay in improper validation of user requests within the booking workflow. By crafting specially manipulated HTTP requests, attackers could bypass login checks and assume the identity of any registered user. This exploit impacts both front-end and back-end operations, making it trivial for adversaries to escalate privileges and control site functionality without authentication.

3. Real-World Impact and Threat Intel Context

Wordfence researchers observed active exploitation campaigns targeting sites running outdated versions of Service Finder Bookings. Attackers leveraged automated scanners to detect vulnerable installations and then orchestrated mass account takeover attempts. Compromised administrators could install malware, deface websites, or use hijacked servers for further malicious activities, such as phishing or cryptojacking. The widespread distribution of the plugin elevated the severity of this threat within the WordPress ecosystem.

4. Remediation Steps and Best Practices

Site owners are urged to update Service Finder Bookings to version 2.3.1 or later immediately. If automatic updates are unavailable, manual patching or temporary deactivation of the plugin should be performed. Administrators must also review user accounts for suspicious activity, enforce strong password policies, and enable two-factor authentication where possible. Regular vulnerability scans and timely application of security patches will mitigate similar risks in the future.

5. Lessons Learned and Ongoing Defense Strategies

This incident underscores the importance of proactive threat intel integration into security operations. Monitoring exploit chatter and bug bounty submissions can accelerate detection and response timelines. Collaboration between researchers, vendors, and the broader WordPress community enhances collective resilience. By staying informed about emerging vulnerability trends and strengthening supply-chain security, organizations can reduce their exposure to critical exploits like the one affecting Service Finder Bookings.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Attackers Actively Exploiting Critical Vulnerability in Service Finder Bookings Plugin