CVE-2024-13442 CRITICAL

CVE-2024-13442: Service Finder Bookings <= 5.0 - Unauthenticated Privilege Escalation via Account Takeover

Vendor Aonetheme
Product Service Finder Bookings
Weakness CWE-288
Published March 19, 2025
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. This is due to the plugin not properly validating a user's identity prior to (1) performing a post-booking auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account.

Explanation of Vulnerability in Simple Terms

02Summary

Service Finder Bookings versions 5.0 and earlier contain an authentication bypass vulnerability. An attacker can gain full control of the application without valid credentials, reading sensitive data, modifying bookings and user information, and disrupting service availability. No user interaction or special privileges are required to exploit this flaw.

What an attacker can do

03Attacker Capabilities

Gain unauthorized access and read/modify all data, including user credentials and booking records.

Potential impact on your site

04Site Impact

Complete compromise of the booking system and exposure of all user and booking data.

Conditions required to exploit

05Prerequisites

Network access only; no authentication, special privileges, or user interaction required.

Key dates

06Disclosure timeline

March 19, 2025 CVE published
April 8, 2026 Record updated