CVE-2025-5954: 
WordPress vulnerability analysis and mitigation

The Service Finder SMS System plugin for WordPress contains a critical privilege escalation vulnerability (CVE-2025-5954) discovered and disclosed on July 31, 2025. The vulnerability affects all versions up to and including 2.0.0. This security flaw enables unauthenticated attackers to perform account takeover by exploiting unrestricted user role selection during registration (NVD).

The vulnerability stems from improper privilege management (CWE-269) in the aonesms_fn_savedata_after_signup() function, which fails to restrict user role selection during the registration process. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Wordfence).

The vulnerability allows unauthenticated attackers to register themselves as administrator users, effectively gaining complete control over the WordPress installation. This level of access permits attackers to modify site content, install malicious plugins, access sensitive information, and potentially compromise the entire website (NVD).

Website administrators running the Service Finder SMS System plugin should immediately update to a version newer than 2.0.0 if available. If no patch is available, it is recommended to disable the plugin until a security update is released (NVD).