cybersecurity — Technology

Discovered Unpatched Rights Extension Flaw in Service Finder Bookings Plugin, Jeopardizing Security

Unprotected flaw found in Service Finder Bookings plugin, enabling hackers to unlawfully elevate privileges. Users are advised to take preventive actions, such as disableing the plugin and deleting it from their sites, until a security upgrade is rolled out.

, and Administrator

2025 September 15 . 9:11 AM

2 min read

Unpatched Rights Extension Discovered in Service Finder Bookings Plugin, Posing a Critical Security... — Unpatched Rights Extension Discovered in Service Finder Bookings Plugin, Posing a Critical Security Risk

Discovered Unpatched Rights Extension Flaw in Service Finder Bookings Plugin, Jeopardizing Security

A significant security issue has been identified in the Service Finder plugin, a crucial component of the popular Service Finder theme, a directory and job board WordPress theme. This vulnerability, tracked under CVE-2025-23970, allows any unauthenticated attacker to elevate their permissions to administrator rights or log in as any user on the website.

The vulnerability was first reported to the plugin's manufacturer, the Ossolution Team, on May 31, 2025. The vendor was notified again on June 2, 2025, but as of September 3, 2025, no patched version of the Service Finder plugin is known.

The Service Finder plugin, which has been sold over 6,000 times, handles the entire booking process for the Service Finder theme. This means that any successful exploitation of the privilege escalation issue could have severe consequences for the affected websites.

The security gap was published in the Pachstack database on July 3, 2025, with no response from the vendor. A subsequent security advisory article was published on September 3, 2025, highlighting the urgency of the issue and the need for immediate action from the plugin's manufacturer.

The privilege escalation issue in versions 6.1 and below of the Service Finder plugin is particularly concerning as it allows attackers to bypass authentication measures, potentially leading to unauthorised access and control of the affected websites.

Users of the Service Finder plugin are strongly advised to exercise caution and, if possible, temporarily disable the plugin until a patch is released. Regularly updating plugins and themes is essential for maintaining the security of WordPress websites, and this incident underscores the importance of staying vigilant and up-to-date.

The Ossolution Team has yet to comment on the issue or provide a timeline for a patch release. This article will be updated as more information becomes available.