CVE-2025-6574
BaseFortify
Publication date: 2025-11-01
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | service_finder_bookings | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Service Finder Bookings plugin for WordPress allows authenticated users with subscriber-level access or higher to escalate their privileges by taking over other user accounts. This happens because the plugin does not properly verify a user's identity before allowing updates to sensitive details like email addresses. An attacker can change another user's email address, including administrators, then use that to reset the password and gain full access to the account.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to user accounts, including administrator accounts, on a WordPress site using the affected plugin. Attackers can escalate their privileges, potentially gaining full control over the site, which can result in data breaches, site defacement, or other malicious activities.