CVE-2025-5947 (CVSS 9.8): Hackers Exploit Authentication Bypass in Service Finder WordPress Theme
Estimated reading time: 10 minutes
Key takeaways:
- Critical authentication bypass vulnerability (CVE-2025-5947) in Service Finder WordPress theme allows attackers to gain administrator access.
- Exploitation attempts are actively targeting versions 6.0 and older.
- Update to version 6.1 or later immediately and monitor for suspicious activity.
- Ransomware actors are leveraging legitimate DFIR tools like Velociraptor for persistence and deployment.
- Proactive cybersecurity measures, including threat intelligence and vulnerability management, are essential for protection.
Table of Contents:
- CVE-2025-5947 (CVSS 9.8): Hackers Exploit Authentication Bypass in Service Finder WordPress Theme
- Service Finder WordPress Theme Vulnerability Details
- Discovery and Patching
- Exploitation Attempts
- Impact and Risks
- Detecting and Mitigating the Threat
- Staying Ahead of Threats with Cyber Threat Intelligence
- How PurpleOps Can Help
- Velociraptor Leveraged in Ransomware Attacks
- Velociraptor as a Double-Edged Sword
- Attribution to Storm-2603
- Campaign Overview
- Implications for Security Professionals
- Protecting Your Organization with Proactive Cyber Security
- FAQ
Service Finder WordPress Theme Vulnerability Details
Service Finder is a premium WordPress theme designed for service directory and job board websites. It offers features such as customer booking, feedback systems, time slot management, staff management, invoice generation, and integrated payment systems. With over 6,000 sales on Envato Market, it is widely used by active websites, making this vulnerability a serious concern.
The vulnerability, CVE-2025-5947, stems from improper validation of the original_user_id cookie within the service_finder_switch_back() function. Successful exploitation allows an attacker to log in as any user, including administrators, without requiring authentication. The severity of this vulnerability is reflected in its critical CVSS score of 9.8.
Discovery and Patching
The authentication bypass vulnerability was discovered by security researcher ‘Foxyyy’ and reported through Wordfence’s bug bounty program on June 8. Aonetheme, the theme’s vendor, released version 6.1 on July 17 to address this security issue. However, public disclosure of the vulnerability at the end of July led to exploitation attempts beginning the very next day.
Exploitation Attempts
Wordfence has reported a surge in exploitation attempts targeting CVE-2025-5947. Since August 1, they have recorded over 13,800 attempts, with a peak of over 1,500 attacks per day observed in the week following September 23.
A typical attack involves sending an HTTP GET request to the root path with a query parameter switch_back=1, designed to impersonate an existing user. Wordfence has identified several IP addresses used in these attacks, with a significant portion originating from the following five:
- 5.189.221.98
- 185.109.21.157
- 192.121.16.196
- 194.68.32.71
- 178.125.204.198
While blocking these IP addresses can provide some mitigation, attackers can easily switch to new ones, making this defense limited.
Impact and Risks
The impact of successful exploitation of CVE-2025-5947 is substantial. An attacker gaining administrator access can:
- Modify website content: Deface the website, spread misinformation, or redirect users to malicious sites.
- Inject malicious code: Insert backdoors, malware, or code for phishing attacks.
- Steal sensitive data: Access and exfiltrate user data, financial information, or other confidential data.
- Compromise the server: Use the compromised website as a launching pad for further attacks on other systems.
- Achieve persistence: Create new admin accounts for persistent access, even after the initial vulnerability is patched.
Detecting and Mitigating the Threat
Given the active exploitation of CVE-2025-5947, immediate action is required for websites using the Service Finder theme.
For Technical Readers:
- Immediate Update: Update the Service Finder theme to version 6.1 or later immediately. This is the most effective way to address the vulnerability.
- Log Review: Examine website logs for suspicious activity, specifically HTTP GET requests containing the
switch_back=1parameter. - Account Auditing: Review the list of WordPress administrators and look for any unauthorized or unfamiliar accounts.
- File Integrity Monitoring: Implement file integrity monitoring to detect any unauthorized changes to website files.
- Implement Web Application Firewall (WAF): A WAF can help filter out malicious requests and block known attack patterns.
- Monitor Network Traffic: Analyze network traffic for unusual patterns or connections to suspicious IP addresses.
For Business Leaders:
- Communicate with your IT Team: Ensure that your IT team is aware of the vulnerability and is taking steps to mitigate the risk.
- Verify Theme Version: Confirm that all websites using the Service Finder theme are running version 6.1 or later.
- Review Security Policies: Ensure that your security policies are up-to-date and that your website is adequately protected.
- Consider a Security Audit: Engage a cybersecurity firm to conduct a comprehensive security audit of your website.
It’s crucial to understand that the absence of suspicious log entries does not guarantee that your website has not been compromised. Attackers with administrator access can delete logs and cover their tracks.
Staying Ahead of Threats with Cyber Threat Intelligence
This vulnerability underscores the importance of proactive cybersecurity measures, including PurpleOps Solutions, PurpleOps Solutions, and comprehensive cyber threat intelligence platform services. Proactive measures like PurpleOps Solutions, PurpleOps Solutions, PurpleOps Solutions, and PurpleOps Solutions, can provide early warnings of potential threats and allow organizations to take preventative action. Implementing a robust PurpleOps Solutions and integrating a PurpleOps Solutions into your security infrastructure further strengthens your defenses against emerging threats.
How PurpleOps Can Help
PurpleOps provides a suite of cybersecurity services designed to protect your organization from vulnerabilities like CVE-2025-5947 and other emerging threats. Our services include:
- Cyber Threat Intelligence: Gain actionable insights into the latest threats and vulnerabilities with our comprehensive threat intelligence platform. We offer real-time PurpleOps Solutions that keeps you updated on the latest ransomware threats and exploits.
- Vulnerability Management: Identify and address vulnerabilities in your systems before they can be exploited by attackers. Our continuous PurpleOps Solutions and PurpleOps Solutions services provide proactive measures against potential threats.
- Incident Response: Our experienced incident response team can help you contain and remediate security incidents quickly and effectively. Benefit from our PurpleOps Solutions to proactively detect and address potential threats before they impact your business.
- Managed Security Services: Outsource your security operations to our team of experts and benefit from 24/7 monitoring and protection. Protect your brand with our PurpleOps Solutions system and gain deeper insights with our PurpleOps Solutions.
- Red Team Operations : We provide expert red team operations to help you assess the effectiveness of your security controls and identify areas for improvement.
- Penetration Testing : Our penetration testing services will simulate real-world attacks on your systems, applications, and networks to identify security weaknesses.
PurpleOps Solutions today to learn more about how we can help you protect your organization from cyber threats. Explore our platform to discover our full suite of cybersecurity solutions.
Velociraptor Leveraged in Ransomware Attacks
Adding another layer of complexity to the threat landscape, recent reports indicate that threat actors are now leveraging legitimate digital forensics and incident response (DFIR) tools, such as Velociraptor, in ransomware attacks.
Cisco Talos has confirmed instances where ransomware operators are using Velociraptor, an open-source DFIR tool, to maintain persistence and deploy ransomware more effectively.
Velociraptor as a Double-Edged Sword
Velociraptor is designed to enable security teams to perform endpoint monitoring by deploying client agents across Windows, Linux, and Mac systems. These agents continuously collect data and respond to security events. However, threat actors are exploiting Velociraptor’s capabilities for their malicious purposes.
In a recent incident investigated by Talos, actors affiliated with Warlock ransomware deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines (VMs) and Windows servers. Velociraptor played a crucial role in this campaign, ensuring the actors maintained stealthy persistent access while deploying the ransomware.
The attackers installed an outdated version of Velociraptor (version 0.73.4.0), which was vulnerable to a privilege escalation vulnerability (CVE-2025-6264). This vulnerability allows for arbitrary command execution and endpoint takeover.
Additionally, there have been reports of threat actors using Velociraptor to download and execute Visual Studio Code, likely to create a tunnel to an attacker-controlled command-and-control (C2) server.
Attribution to Storm-2603
Talos assesses with moderate confidence that the ransomware activity involving Velociraptor can be attributed to the group Storm-2603, a suspected China-based threat actor first identified in July 2025. Storm-2603 is known for exploiting on-premises SharePoint vulnerabilities (ToolShell) and deploying Warlock and LockBit ransomware.
Several factors contribute to this attribution:
- Storm-2603 is known for deploying Warlock and LockBit ransomware in the same engagement.
- The use of two different ransomware variants (Warlock and Babuk) in the same attack is unusual.
- The threat actor mirrored several Storm-2603 TTPs, including the use of cmd.exe and batch scripts, disabling Microsoft Defender protections, creating scheduled tasks, manipulating IIS components, and modifying Group Policy Objects (GPOs).
Campaign Overview
The initial signs of suspicious activity associated with this campaign occurred in mid-August 2025. The threat actor attempted to escalate privileges and move laterally within the compromised environment. They created admin accounts that synced to Entra ID (formerly Azure Active Directory) via the domain controller. The same actor-controlled admin account also accessed the VMware vSphere console, an interface used to manage and interact with VMs.
The threat actor installed an older version of Velociraptor on multiple servers to maintain persistence. They also executed commands to run Smbexec, a Python script that allows an attacker to launch programs remotely using the SMB protocol.
To impair defenses and evade detection, the actors modified Active Directory (AD) GPOs, disabling real-time protection, behavior monitoring, and file and program activity monitoring.
The actors deployed a fileless PowerShell script with encryption functionality, which was likely the primary encryptor that deployed mass encryption on the Windows machines. They also deployed LockBit ransomware executables on Windows machines and a Linux binary on ESXi servers flagged as the Babuk encryptor.
Additionally, the actors conducted double extortion, exfiltrating data using a PowerShell script. This script suppressed visual indications of progress and included sleep commands to inhibit analysis and avoid triggering security alerts.
Implications for Security Professionals
The use of legitimate DFIR tools like Velociraptor by ransomware actors poses significant challenges for security professionals. It highlights the need for:
- Enhanced Monitoring: Implement robust monitoring systems to detect unusual activity associated with DFIR tools.
- Behavioral Analysis: Focus on behavioral analysis to identify malicious use of legitimate tools.
- Privilege Management: Enforce strict privilege management policies to limit the potential impact of compromised accounts.
- Vulnerability Management: Regularly update and patch software to address known vulnerabilities, including those in DFIR tools.
- Threat Intelligence: Stay informed about the latest TTPs used by ransomware actors.
Protecting Your Organization with Proactive Cyber Security
At PurpleOps, we understand the complexities of today’s threat landscape and offer a range of services to help you protect your organization from ransomware and other cyber threats.
Our expertise in cyber threat intelligence platform, PurpleOps Solutions, and PurpleOps Solutions can provide you with the visibility you need to detect and respond to threats quickly. We offer a suite of tools, including PurpleOps Solutions and a PurpleOps Solutions, to keep you ahead of attackers.
We also provide managed security services, including PurpleOps Solutions, PurpleOps Solutions, and PurpleOps Solutions, to ensure that your systems are continuously monitored and protected.
PurpleOps Solutions today to learn how we can help you strengthen your security posture and protect your organization from cyber threats. Explore our red team operations and services.
FAQ
Q: What is CVE-2025-5947?
A: CVE-2025-5947 is a critical authentication bypass vulnerability in the Service Finder WordPress theme that allows attackers to gain administrator access.
Q: Which versions of the Service Finder theme are affected?
A: Versions 6.0 and older of the Service Finder theme are affected by this vulnerability.
Q: How can I protect my website from this vulnerability?
A: The most effective way to protect your website is to update the Service Finder theme to version 6.1 or later immediately.
Q: What is Velociraptor and how is it being used in ransomware attacks?
A: Velociraptor is a legitimate DFIR tool that is being leveraged by ransomware actors to maintain persistence, deploy ransomware more effectively, and conduct other malicious activities.
Q: How can PurpleOps help protect my organization from cyber threats?
A: PurpleOps provides a range of cybersecurity services, including cyber threat intelligence, vulnerability management, incident response, and managed security services, to help protect your organization from ransomware and other cyber threats.