A severe Service Finder WordPress theme vulnerability (CVE-2025-5947) is under active exploitation, allowing attackers to bypass authentication and gain full administrator access to websites. Security firm Wordfence has recorded more than 13,800 exploit attempts since August 1, with activity surging in late September.
The Service Finder WordPress theme is a premium theme commonly used for service directories, booking platforms, and job boards. Sites running vulnerable versions risk complete compromise, as attackers with administrator rights can create accounts, upload malicious PHP files, alter site content, and export sensitive databases. With more than 6,000 sales on Envato Market, the theme is widely deployed across active websites.
Details of CVE-2025-5947
The vulnerability impacts Service Finder WordPress theme versions 6.0 and earlier. The flaw stems from improper validation of the original_user_id cookie within the service_finder_switch_back() function. By exploiting this weakness, threat actors can impersonate any user, including administrators, without needing valid credentials. Once logged in, attackers effectively take over the website.
The flaw was discovered by a researcher known as Foxyyy and reported through Wordfence’s bug bounty program in June. Aonetheme, the vendor behind Service Finder, released version 6.1 on July 17 to address the issue. However, public disclosure at the end of July led to immediate exploitation by malicious actors scanning for unpatched websites.
Attack Activity Observed
Researchers documented over 1,500 daily exploitation attempts starting September 23, contributing to a total of 13,800 attempts by early October. Most attacks involve sending an HTTP GET request with the parameter switch_back=1, which tricks the theme into granting administrative privileges. Because the attack leverages normal-looking queries, compromised sites may not display obvious signs of intrusion.
Wordfence identified thousands of requests tied to just five primary IP addresses early in the campaign, though attackers are expected to rotate infrastructure:
- 5.189.221.98
- 185.109.21.157
- 192.121.16.196
- 194.68.32.71
- 178.125.204.198
How Exploited Sites Are Compromised
Once inside, attackers typically escalate their access by creating hidden administrator accounts, deploying file managers or web shells, and modifying WordPress core or theme files. They may also plant persistent backdoors that survive theme updates, making recovery more challenging. Because the attackers are logged in as admins, many conventional security tools may fail to raise alerts.
Recommendations for Site Owners
Website administrators using the Service Finder WordPress theme should immediately verify their installed version. If running version 6.0 or earlier, patch to 6.1 or higher without delay. Beyond patching, site owners should audit their environments for potential compromise:
- Check server logs for
switch_back=1requests - Review all administrator accounts and remove unauthorized users
- Change all passwords, especially for admin accounts
- Scan for unfamiliar PHP files or modifications in theme directories
- Harden WordPress by disabling file editing and enforcing multifactor authentication
In addition, blocking the known malicious IP addresses may reduce incoming traffic, though it is not a permanent solution since attackers often rotate infrastructure. Wordfence emphasizes that the absence of suspicious log entries does not guarantee a site is uncompromised, as skilled attackers can delete logs and cover their tracks.
The active exploitation of CVE-2025-5947 highlights the importance of prompt patching and proactive monitoring. For administrators using the Service Finder WordPress theme, updating to version 6.1 or later is essential. Any delay risks total site takeover, stolen data, and long-term persistence by attackers who already have administrator access.
Leave a Comment