Platform
wordpress
Component
service-finder-sms-system
Fixed in
2.0.1
CVE-2025-5954 is a privilege escalation vulnerability discovered in the Service Finder SMS System WordPress plugin. This flaw allows unauthenticated attackers to register as administrator users, granting them complete control over the WordPress site. The vulnerability affects versions 0.0.0 through 2.0.0, but a patch is available in version 2.0.1.
The impact of CVE-2025-5954 is severe. Successful exploitation allows an attacker to bypass authentication and gain administrator privileges on the WordPress site. This grants them full control, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial details), and potentially pivot to other systems on the network. The lack of role restriction during user registration makes this vulnerability particularly easy to exploit, requiring no specialized knowledge or tools.
This vulnerability was publicly disclosed on August 1, 2025. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation suggests that a POC is likely to emerge. It is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring. The vulnerability's simplicity increases the likelihood of exploitation in automated attacks.
Exploit Status
EPSS
0.20% (42% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-5954 is to immediately upgrade the Service Finder SMS System plugin to version 2.0.1 or later. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent new user registrations. While a direct workaround is unavailable, implementing stricter user registration policies within WordPress itself (e.g., requiring administrator approval for new accounts) can provide a temporary layer of defense. Monitor WordPress logs for suspicious user registration attempts.
Actualice el plugin Service Finder SMS System a la versión 2.0.1 o superior para mitigar la vulnerabilidad de escalada de privilegios. Esta actualización corrige la falta de restricciones en la selección de roles de usuario durante el registro, previniendo que atacantes no autenticados se registren como administradores.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-5954 is a critical vulnerability in the Service Finder SMS System WordPress plugin allowing attackers to register as administrators, gaining full control of the site.
If you are using Service Finder SMS System version 0.0.0 through 2.0.0, you are affected by this vulnerability.
Upgrade the Service Finder SMS System plugin to version 2.0.1 or later to resolve this privilege escalation vulnerability.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to be targeted.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.