Unpatched right extension exposure in Service Finder Bookings plugin poses a significant security risk
In a concerning turn of events, a security advisory article was published on September 3, 2025, highlighting a privilege escalation issue in the Service Finder Bookings plugin. This plugin, a crucial component of the premium WordPress theme Service Finder, handles the entire booking process for the directory and job board theme.
The vulnerability, tracked under CVE-2025-23970, allows any unauthenticated attacker to elevate their permissions to administrator level or log in as any user on the website. This issue was first reported in a security report received on May 31, 2025, and the vendor was notified immediately.
However, despite the report and subsequent advisory, there is still no patched version available for the vulnerability. This means that websites using versions 6.1 and below of the Service Finder Bookings plugin remain at risk.
The Ossolution Team, the manufacturer of the Service Finder Bookings plugin, has been informed about the security issue. The plugin has been sold over 6,000 times, making the urgency of a patch even more critical.
In the interim, it is recommended to continue disabling and removing the Service Finder Bookings plugin from the website until a security update is available. Proper authentication/authorization checks should be performed when assigning user sessions to handle sessions and authentication cookies with utmost care.
On July 3, 2025, the security issue related to the Service Finder Bookings plugin was published in the Pachstack database, but there has been no response from the vendor to date.
This issue serves as a reminder for all WordPress users to keep their plugins and themes updated to the latest versions to ensure the security of their websites. Stay vigilant, and prioritise security in your digital spaces.
