平台
wordpress
组件
service-finder-sms-system
修复版本
2.0.1
CVE-2025-5954 is a privilege escalation vulnerability discovered in the Service Finder SMS System WordPress plugin. This flaw allows unauthenticated attackers to register as administrator users, granting them complete control over the WordPress site. The vulnerability affects versions 0.0.0 through 2.0.0, but a patch is available in version 2.0.1.
The impact of CVE-2025-5954 is severe. Successful exploitation allows an attacker to bypass authentication and gain administrator privileges on the WordPress site. This grants them full control, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial details), and potentially pivot to other systems on the network. The lack of role restriction during user registration makes this vulnerability particularly easy to exploit, requiring no specialized knowledge or tools.
This vulnerability was publicly disclosed on August 1, 2025. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation suggests that a POC is likely to emerge. It is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring. The vulnerability's simplicity increases the likelihood of exploitation in automated attacks.
WordPress sites utilizing the Service Finder SMS System plugin, particularly those with limited security controls or those that allow open user registration, are at significant risk. Shared hosting environments where plugin updates are not managed centrally are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'aonesms_fn_savedata_after_signup' /var/www/html/wp-content/plugins/service-finder-sms-system/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'service-finder-sms-system'• wordpress / composer / npm:
wp plugin list --status=active | grep 'service-finder-sms-system'disclosure
漏洞利用状态
EPSS
0.20% (42% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-5954 is to immediately upgrade the Service Finder SMS System plugin to version 2.0.1 or later. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent new user registrations. While a direct workaround is unavailable, implementing stricter user registration policies within WordPress itself (e.g., requiring administrator approval for new accounts) can provide a temporary layer of defense. Monitor WordPress logs for suspicious user registration attempts.
Actualice el plugin Service Finder SMS System a la versión 2.0.1 o superior para mitigar la vulnerabilidad de escalada de privilegios. Esta actualización corrige la falta de restricciones en la selección de roles de usuario durante el registro, previniendo que atacantes no autenticados se registren como administradores.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-5954 is a critical vulnerability in the Service Finder SMS System WordPress plugin allowing attackers to register as administrators, gaining full control of the site.
If you are using Service Finder SMS System version 0.0.0 through 2.0.0, you are affected by this vulnerability.
Upgrade the Service Finder SMS System plugin to version 2.0.1 or later to resolve this privilege escalation vulnerability.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to be targeted.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。