Unpatched Privilege Escalation in Service Finder Bookings Plugin

Service Finder Bookings

Unauthenticated Privilege Escalation

6k+

CVSS 9.8

This blog post is about an unauthenticated Privilege Escalation vulnerability in the Service Finder Bookings plugin. If you're a Service Finder Bookings plugin user, since there is currently no available patch, we recommend deactivating and deleting the plugin.

The vulnerabilities mentioned here were discovered and reported by Patchstack Alliance community member Bonds.

About the Service Finder Bookings plugin

The plugin is a required plugin pre-packaged from the premium Service Finder theme, which has over 6,000 sales. The theme is a directory and job board WordPress theme, and the plugin itself handles all of the related booking process for the service finder.

The security vulnerability

In versions 6.1 (latest) and below, the plugin is vulnerable to a Privilege Escalation, which allows any unauthenticated attacker to escalate their privilege to administrator or even log in as any user on the site. The vulnerability doesn't have a patched version for now and is tracked with CVE-2025-23970.

First, let's take a look at the service_finder_submit_user_form function:

function service_finder_submit_user_form(){
	if (isset($_GET['switch_user']) && is_numeric($_GET['switch_user'])) {
		$user_id = intval(sanitize_text_field($_GET['switch_user']));
		service_finder_switch_user($user_id);
	}
	
	if (isset($_GET['switch_back'])) {
		service_finder_switch_back();
	}
}		
add_action('init', 'service_finder_submit_user_form');	

Since the function is added with an init hook, any unauthenticated users can trigger the function. There are two scenarios, where the user specifies $_GET['switch_user'] or $_GET['switch_back']. Let's first try to check the service_finder_switch_back function:

function service_finder_switch_back() {
    if (isset($_COOKIE['original_user_id'])) {
        $original_user_id = intval($_COOKIE['original_user_id']);
        if (get_userdata($original_user_id)) {
            // Switch back to the original user
            wp_set_current_user($original_user_id);
            wp_set_auth_cookie($original_user_id);
            do_action('wp_login', get_userdata($original_user_id)->user_login, get_userdata($original_user_id));
            
            // Clear the cookie
            setcookie('original_user_id', '', time() - 3600, '/');
            
            // Redirect to the current page or desired URL
            $accounturl = admin_url( 'admin.php?page=candidates' );
            wp_redirect($accounturl);
            exit;
        } else {
            wp_die('Original user not found.');
        }
    } else {
        wp_die('No original user found to switch back to.');
    }
}

In this function, any user can just specify any user ID via $_COOKIE['original_user_id'] value, and he/she can log in as any user, including users with the Administrator role, since the code will set the authentication cookie with the wp_set_auth_cookie function without proper check.

Let's also take a look at the service_finder_switch_user function:

function service_finder_switch_user($user_id) {
	global $current_user;
    if(service_finder_getUserRole($current_user->ID) == "administrator" || service_finder_getUserRole($current_user->ID) == "candidate") {
        if (get_userdata($user_id)) {
            // Store the original user ID in session or a cookie
            setcookie('original_user_id', get_current_user_id(), time() + 3600, '/');
            
            // Switch to the user
            wp_set_current_user($user_id);
            wp_set_auth_cookie($user_id);
            do_action('wp_login', get_userdata($user_id)->user_login, get_userdata($user_id));
            
            // Redirect to the current page or desired URL
			$accounturl = service_finder_get_url_by_shortcode('[service_finder_my_account]');
            wp_redirect($accounturl);
            exit;
        } else {
            wp_die('Invalid user ID.');
        }
    } else {
        wp_die('You do not have permission to switch users.');
    }

The patch

At the time this article was published, we were not aware of a patched version being released.

Conclusion

It is necessary to ensure that there is maximum caution when it comes to handling sessions and authentication cookies. Proper authentication/authorization checks should be implemented whenever user sessions are being assigned.

Want to learn more about finding and fixing vulnerabilities?

Explore our Academy to master the art of finding and patching vulnerabilities within the WordPress ecosystem. Dive deep into detailed guides on various vulnerability types, from discovery tactics for researchers to robust fixes for developers. Join us and contribute to our growing knowledge base.