CVE-2025-5955 HIGH

CVE-2025-5955: Service Finder SMS System <= 2.0.0 - Authentication Bypass

Vendor Aonetheme
Product Service Finder SMS System
Weakness CWE-288
Published September 19, 2025
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user's phone number before logging them in. This makes it possible for unauthenticated attackers to login as arbitrary users.

Explanation of Vulnerability in Simple Terms

02Summary

Service Finder SMS System versions 2.0.0 and earlier contain an authentication bypass vulnerability. An attacker can exploit this flaw to gain unauthorized access to the system without valid credentials. The vulnerability requires specific network conditions to exploit but can result in complete compromise of confidentiality, integrity, and availability.

What an attacker can do

03Attacker Capabilities

Bypass authentication and gain unauthorized access to the Service Finder SMS System without valid credentials.

Potential impact on your site

04Site Impact

Attackers can access, modify, or disable the SMS system and potentially access sensitive data stored within it.

Conditions required to exploit

05Prerequisites

Network access to the affected system; no user interaction or authentication required.

Key dates

06Disclosure timeline

September 19, 2025 CVE published
April 8, 2026 Record updated