Hackers are actively exploiting a critical vulnerability in the Service Finder WordPress theme, allowing them to bypass authentication and log in as administrators.
The flaw gives attackers full control over affected websites, including the ability to create new accounts, upload malicious files, and access sensitive data.
According to Wordfence, a well-known WordPress security firm, more than 13,800 exploitation attempts have been recorded since August 1st. The Service Finder theme is a premium WordPress product widely used for service directory and job board websites, featuring customer booking, staff management, and built-in payment systems. With over 6,000 sales on Envato Market, the theme is used by many active websites around the world.
The vulnerability, tracked as CVE-2025-5947, has a critical severity score of 9.8. It affects all Service Finder versions 6.0 and earlier and stems from improper validation of the original_user_id cookie in the service_finder_switch_back() function. This flaw allows an attacker to log in as any user — including administrators — without needing a password.
The issue was discovered by security researcher Foxyyy, who reported it through Wordfence’s bug bounty program on June 8. The theme’s developer, Aonetheme, released a fix in version 6.1 on July 17. However, after public disclosure at the end of July, attackers began exploiting the vulnerability almost immediately.
Wordfence observed a major spike in attacks starting September 23, with more than 1,500 attack attempts daily. Researchers identified several IP addresses responsible for most of the attacks, including:
- 5.189.221.98
- 185.109.21.157
- 192.121.16.196
- 194.68.32.71
- 178.125.204.198
The attacks typically involve an HTTP GET request to the root path with a switch_back=1 query parameter to impersonate existing users. Although blocklisting these IPs may reduce exposure, experts warn that attackers can easily change addresses to continue the campaign.
Wordfence advises website administrators to carefully review their server logs for suspicious activity or unauthorized accounts that may indicate a breach. However, the firm warns that a lack of visible logs does not necessarily mean a website is safe, as attackers with admin access can delete traces of their intrusion.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Given the ongoing exploitation, all Service Finder theme users are strongly urged to update to version 6.1 or later immediately. Those unable to update should disable or remove the theme entirely to prevent compromise.
