CVE-2025-5954
BaseFortify
Publication date: 2025-08-01
Last updated on: 2025-08-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | service_finder_sms_system | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Service Finder SMS System plugin for WordPress up to version 2.0.0. It allows unauthenticated attackers to escalate privileges by exploiting the lack of user role restrictions during registration. Specifically, attackers can register as administrator users because the plugin does not properly restrict role selection in the aonesms_fn_savedata_after_signup() function.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain administrator access to a WordPress site using the Service Finder SMS System plugin. This means they can fully control the site, including modifying content, installing malicious code, stealing data, or disrupting services, leading to severe security and operational impacts.