What the vulnerability does
01Description
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. This is due to the plugin not properly validating a user's identity prior to (1) performing a post-booking auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account.
Explanation of Vulnerability in Simple Terms
02Summary
Service Finder Bookings versions 5.0 and earlier contain an authentication bypass vulnerability. An attacker can gain full control of the application without valid credentials, reading sensitive data, modifying bookings and user information, and disrupting service availability. No user interaction or special privileges are required to exploit this flaw.
What an attacker can do
03Attacker Capabilities
Gain unauthorized access and read/modify all data, including user credentials and booking records.
Potential impact on your site
04Site Impact
Complete compromise of the booking system and exposure of all user and booking data.
Conditions required to exploit
05Prerequisites
Network access only; no authentication, special privileges, or user interaction required.
Key dates
06Disclosure timeline
March 19, 2025
CVE published
April 8, 2026
Record updated