CVE-2025-5948: 
WordPress vulnerability analysis and mitigation

The Service Finder Bookings plugin for WordPress has been identified with a critical vulnerability (CVE-2025-5948) affecting all versions up to and including 6.0. This vulnerability was discovered and reported on September 19, 2025. The issue stems from improper user identity validation in the plugin's business claiming functionality (NVD CVE).

The vulnerability is classified as an authorization bypass through user-controlled key (CWE-639). The issue specifically relates to the claim_business AJAX action not properly validating user identity. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD CVE).

The vulnerability allows unauthenticated attackers to potentially login as any user, including administrators. The high severity rating indicates potential complete compromise of system confidentiality, integrity, and availability. The vulnerability affects the core business claiming functionality of the Service Finder Bookings plugin (NVD CVE).

Users are advised to update their Service Finder Bookings plugin to versions newer than 6.0 when available. As this is a recently discovered vulnerability, users should monitor the official plugin repository and vendor communications for patch availability (Wordfence Intel).