A critical authentication bypass in the Service Finder Bookings plugin has enabled unauthenticated attackers to assume administrator privileges on thousands of WordPress sites.
Exploitation began within 24 hours of public disclosure, and over 13,800 exploit attempts have been blocked by the Wordfence Firewall to date.
On June 8, 2025, a submission to the Wordfence Bug Bounty Program revealed an Authentication Bypass vulnerability in Service Finder Bookings, a plugin bundled with the Service Finder theme.
https://gbhackers.com/wordpress-plugin-vulnerability-3/