CVE Alert: CVE-2025-5949 – aonetheme – Service Finder Bookings

Risk verdict

High risk: authenticated subscribers or higher can escalate to admin privileges via password-change flow; patch promptly (priority may be elevated if KEV/EPSS signals are present).

Why this matters

An attacker with subscriber access can reset admin passwords and assume full control of the WordPress site, enabling defacement, data exfiltration or persistence. The flaw bypasses identity validation, so remediation is urgent to prevent admin account takeover and potential supply-chain impacts on customer data and site integrity.

Most likely attack path

• Attack vector: network-exposed, remote exploitation possible without user interaction.
• Preconditions: an attacker must hold subscriber-level or higher access to the affected WordPress site.
• Privilege implications: PR:L alongside UI:N means the attacker needs some access level but no extra prompts; once they change a password, they can seize admin control and pivot to broader site compromise.

Who is most exposed

WordPress sites running Service Finder Bookings up to version 6.0, common on small business sites, managed hosting or self-hosted environments with user accounts and plugin-enabled password flows.

Detection ideas

• Monitor for successful password changes on admin accounts initiated from non-admin roles.
• Look for anomalous password-change attempts targeting admins or account takeover indicators.
• Audit change_candidate_password action endpoints for unusual requester identities or patterns.
• Flag sudden admin session creations or credential-usage anomalies after subscriber activity.
• Correlate user role changes with password-reset events.

Mitigation and prioritisation

• Apply the vendor patch to the latest version (or remove/disable the plugin if unavailable).
• Enforce MFA for all users, especially those with subscriber or higher access; restrict password-change capabilities.
• Review and tighten password-change workflows; add server/network hardening around WordPress admin endpoints.
• Implement compensating controls: WAF rules around password reset endpoints; monitor for credential-reset abuse.
• If KEV is true or EPSS ≥ 0.5 (data not provided), treat as priority 1. Consider a staged patch window and test in a staging environment before deployment.