Plateforme
wordpress
Composant
service-finder-sms-system
Corrigé dans
2.0.1
CVE-2025-5954 is a privilege escalation vulnerability discovered in the Service Finder SMS System WordPress plugin. This flaw allows unauthenticated attackers to register as administrator users, granting them complete control over the WordPress site. The vulnerability affects versions 0.0.0 through 2.0.0, but a patch is available in version 2.0.1.
The impact of CVE-2025-5954 is severe. Successful exploitation allows an attacker to bypass authentication and gain administrator privileges on the WordPress site. This grants them full control, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial details), and potentially pivot to other systems on the network. The lack of role restriction during user registration makes this vulnerability particularly easy to exploit, requiring no specialized knowledge or tools.
This vulnerability was publicly disclosed on August 1, 2025. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation suggests that a POC is likely to emerge. It is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring. The vulnerability's simplicity increases the likelihood of exploitation in automated attacks.
WordPress sites utilizing the Service Finder SMS System plugin, particularly those with limited security controls or those that allow open user registration, are at significant risk. Shared hosting environments where plugin updates are not managed centrally are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'aonesms_fn_savedata_after_signup' /var/www/html/wp-content/plugins/service-finder-sms-system/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'service-finder-sms-system'• wordpress / composer / npm:
wp plugin list --status=active | grep 'service-finder-sms-system'disclosure
Statut de l'Exploit
EPSS
0.20% (percentile 42%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-5954 is to immediately upgrade the Service Finder SMS System plugin to version 2.0.1 or later. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent new user registrations. While a direct workaround is unavailable, implementing stricter user registration policies within WordPress itself (e.g., requiring administrator approval for new accounts) can provide a temporary layer of defense. Monitor WordPress logs for suspicious user registration attempts.
Actualice el plugin Service Finder SMS System a la versión 2.0.1 o superior para mitigar la vulnerabilidad de escalada de privilegios. Esta actualización corrige la falta de restricciones en la selección de roles de usuario durante el registro, previniendo que atacantes no autenticados se registren como administradores.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-5954 is a critical vulnerability in the Service Finder SMS System WordPress plugin allowing attackers to register as administrators, gaining full control of the site.
If you are using Service Finder SMS System version 0.0.0 through 2.0.0, you are affected by this vulnerability.
Upgrade the Service Finder SMS System plugin to version 2.0.1 or later to resolve this privilege escalation vulnerability.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to be targeted.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.