What the vulnerability does
01Description
The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user's phone number before logging them in. This makes it possible for unauthenticated attackers to login as arbitrary users.
Explanation of Vulnerability in Simple Terms
02Summary
Service Finder SMS System versions 2.0.0 and earlier contain an authentication bypass vulnerability. An attacker can exploit this flaw to gain unauthorized access to the system without valid credentials. The vulnerability requires specific network conditions to exploit but can result in complete compromise of confidentiality, integrity, and availability.
What an attacker can do
03Attacker Capabilities
Bypass authentication and gain unauthorized access to the Service Finder SMS System without valid credentials.
Potential impact on your site
04Site Impact
Attackers can access, modify, or disable the SMS system and potentially access sensitive data stored within it.
Conditions required to exploit
05Prerequisites
Network access to the affected system; no user interaction or authentication required.
Key dates
06Disclosure timeline
September 19, 2025
CVE published
April 8, 2026
Record updated