CVE-2025-6574: 
WordPress vulnerability analysis and mitigation

The Service Finder Bookings plugin for WordPress (CVE-2025-6574) contains a privilege escalation vulnerability that affects all versions up to, but not including, version 6.1. The vulnerability was disclosed on November 1, 2025, and received a CVSS v3.1 base score of 8.8 (HIGH) (NVD).

The vulnerability stems from improper user identity validation when updating user details, particularly email addresses. This security flaw is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability has a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability (NVD).

The vulnerability allows authenticated attackers with subscriber-level access or higher to modify arbitrary user email addresses, including those of administrators. This capability can be leveraged to perform password resets and gain unauthorized access to administrator accounts, effectively compromising the entire WordPress installation (NVD).

Users should upgrade to Service Finder Bookings plugin version 6.1 or later to address this vulnerability. The fix is available through the official WordPress plugin repository (Wordfence).