CVE Alert: CVE-2025-6574 – aonetheme – Service Finder Bookings

Risk verdict

High risk. Exploitation is feasible for authenticated subscriber+ attackers and could lead to full account takeover if unpatched.

Why this matters

Anyone with a subscriber-level WordPress account can hijack another user’s email and trigger a password reset, potentially gaining admin access. Compromise of admin credentials enables data exfiltration, site defacement, and disruption, with cascading impact on trust and customer relations.

Most likely attack path

No network access required (AV:N) and no user interaction needed (UI:N); attacker needs only a valid subscriber+ account (PR:L). They exploit inadequate identity validation to update another user’s email, then use that to reset the password and seize the target account within the same site scope (S:U).

Who is most exposed

Sites using the Service Finder Bookings plugin on WordPress, especially those with public registrations or lax account hygiene, are at greatest risk; small-to-medium businesses relying on this plugin are common patterns.

Detection ideas

• Alerts for email address changes on user accounts, especially from non-admin roles.
• Sudden password reset activity tied to admin or high-privilege accounts.
• Creation or modification of administrator accounts beyond ordinary workflow.
• Unusual login activity following email-change events (new IPs/geographies).
• Plugin audit logs showing email-change actions by subscriber+.

Mitigation and prioritisation

• Patch immediately: upgrade to 6.1 or later; if unavailable, disable the plugin until fixed.
• Enforce MFA for all users, with priority for subscribers and admins.
• Tighten access: review and disable unused accounts; apply least-privilege provisioning.
• Strengthen password-reset controls and consider email-change verification or admin approval.
• Enhance detection: enable detailed plugin logs and centralised monitoring; place alerts on user‑level changes.