Service Finder Bookings WordPress Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability allowing account takeover has been identified in the Service Finder Bookings plugin for WordPress, affecting all versions through 6.0. The vulnerability arises because the plugin fails to properly verify a user's identity before allowing them to claim a business via the claim_business AJAX action. This flaw enables unauthenticated attackers to log in as any user, including administrators. To complete the business takeover, knowledge of subscriber privileges or brute-forcing is required. The claim_id is necessary to take over an admin account, but brute-forcing can effectively yield valid IDs.

Impact

Exploitation of this vulnerability allows for unauthorized login as any user, with the potential to impersonate an admin.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a request to the claim_business AJAX action without proper identity verification. Brute-forcing may be needed to obtain valid claim_ids for admin accounts.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.