Venom Chip Cookies exploit WordPress Service Finder
- Javier Conejo del Cerro
- 9 oct
- 4 Min. de lectura
Actualizado: 15 oct
It starts like a harmless treat — a popular WordPress theme used by small businesses and freelancers to manage appointments and bookings. Yet inside, a poisonous chip hides in the dough. A critical vulnerability (CVE-2025-5947, CVSS 9.8) in the Service Finder theme, specifically in its bundled Service Finder Bookings plugin, enables unauthenticated attackers to bypass authentication and access any user account, including administrators.
The flaw stems from how the plugin handles cookies through the service_finder_switch_back() function. Because the cookie value isn’t properly validated, attackers can forge one that tricks the website into believing they are already logged in. The result? Full control over the WordPress installation — site hijacking, credential theft, data exfiltration, and defacement — all without ever knowing a single password.
Behind this sugary metaphor hides a serious threat that has been exploited in the wild since August 2025, with more than 13,800 recorded attempts against vulnerable websites. For thousands of organizations using the Service Finder theme, this vulnerability represents the digital equivalent of serving malware-laced cookies at the front desk.
Phase 1: The Victims — Sweet Targets in the Digital Bakery
The victims of this campaign are not large corporations with layered defenses and dedicated SOC teams. They are website administrators, marketing professionals, developers, small agencies, and non-technical business owners who rely on WordPress to run booking platforms, client dashboards, and service portals.
These users typically operate with limited oversight and often outsource maintenance or security to third parties. For many of them, themes like Service Finder simplify daily operations — scheduling, user management, and payment integration — but also expand the attack surface. Because authentication happens through cookies and session tokens, any validation flaw instantly translates into high-impact exposure.
What makes this case particularly dangerous is the nature of the users themselves: people who manage customer data, appointments, and often payment information through a WordPress dashboard that may not be continuously monitored or hardened. For attackers, these sites are perfect entry points into larger hosting environments or client networks.
Phase 2: The Breach — How the Poisoned Cookie Works
The exploit vector is elegantly simple yet devastating. Attackers send crafted HTTP or HTTPS requests targeting the Service Finder Bookings plugin, exploiting its broken authentication logic. The plugin fails to confirm whether the cookie provided truly belongs to a valid session. By sending a maliciously crafted cookie, the attacker convinces the system that they are a legitimate user — even an administrator.
Once inside, they gain root-level privileges in the WordPress dashboard. From there, they can:
Install backdoors and persistence mechanisms disguised as plugins or themes.
Alter routing, firewall, and VPN configurations if the site hosts connected services.
Steal stored credentials or tokens from connected APIs and payment gateways.
Inject malicious JavaScript or PHP code to redirect users, harvest credentials, or distribute malware.
Perform defacement campaigns to damage reputation or plant SEO spam for further monetization.
All versions of the Service Finder theme up to 6.0 are vulnerable. The developers released version 6.1 on July 17, 2025, to patch the flaw — but exploitation in the wild began only weeks later. Wordfence researchers have observed ongoing attack attempts originating from IPs such as 5.189.221.98, 185.109.21.157, 192.121.16.196, 194.68.32.71, and 178.125.204.198.
This case illustrates how a seemingly minor oversight — failing to validate a cookie variable — can become a critical, remote, unauthenticated exploit that grants total site compromise.
Phase 3: The Aftertaste — Consequences of Compromise
Once an attacker gains admin privileges, the compromise goes far beyond one WordPress installation. A hijacked Service Finder instance can serve as a staging ground for lateral movement within the hosting infrastructure, or as a delivery platform for malware campaigns targeting site visitors.
Compromised sites may:
Host drive-by download scripts and redirect chains.
Leak sensitive customer information or credentials reused across accounts.
Lose visibility and trust as users encounter phishing redirects or fake login forms.
Experience search-engine penalties and blacklisting from security vendors.
For SMBs, such incidents often translate directly into loss of clients, brand reputation, and revenue. The damage isn’t limited to the technical domain — it erodes customer confidence in digital booking platforms and third-party integrations that power everyday business operations.
Conclusions: Cleaning the Jar and Hardening the Oven
Mitigation of this vulnerability requires more than a quick patch — it calls for a re-evaluation of how authentication is handled across plugins and themes. Site administrators should take the following steps immediately:
Update Service Finder Bookings to version 6.1 or later.
Audit logs for unauthorized logins, redirects, or plugin installations.
Review access from the following attacker IPs: 5.189.221.98, 185.109.21.157, 192.121.16.196, 194.68.32.71, 178.125.204.198.
Disable account switching features unless strictly necessary.
Implement Web Application Firewalls (WAF) and restrict access to wp-admin panels by IP or VPN.
Regularly back up all site configurations and database contents.
Educate site owners and non-technical users about the importance of patch cycles and credential hygiene.
Cyber hygiene in the WordPress ecosystem isn’t about paranoia — it’s about resilience. A single unchecked cookie can compromise an entire business. The “Venom Chip” exploit reminds us that even small plugins can open large doors when authentication is taken for granted.
The Hacker News
Comentarios