SEVEN.LEGEND // V4
Users Online: 1
Total Hits: 8,856
CODES // DATA STREAM
SECURITY CODE & SCRIPTS
« BACK
Check Your WordPress Site for CVE-2025-5947 Authentication Bypass
PHP
Free security check script for WordPress sites using the Service Finder theme. Detects CVE-2025-5947 authentication bypass vulnerability (CVSS 9.8 Critical) that allows attackers to gain administrator access. This script checks your theme version, scans for exploitation attempts in server logs, and provides actionable security recommendations. Includes .htaccess mitigation rules for temporary protection while you update to version 6.1+.
UPLOADED: 2025.10.15
ID: CVE-2025-5947 //
LANG: Php //
LINES: 354
<?php
/**
* CVE-2025-5947 Security Check Script
* Checks for Service Finder Bookings authentication bypass vulnerability
*
* USAGE: Place this file in your WordPress root directory and access via browser
* DELETE THIS FILE after running the check!
*/
// Prevent direct access from non-localhost (security measure)
$allowed_ips = ['127.0.0.1', '::1'];
if (!in_array($_SERVER['REMOTE_ADDR'], $allowed_ips)) {
die('Access denied. Run this script from localhost only or modify the allowed IPs.');
}
// Set error reporting
error_reporting(E_ALL);
ini_set('display_errors', 1);
// Start output
header('Content-Type: text/html; charset=utf-8');
?>
<!DOCTYPE html>
<html>
<head>
<title>CVE-2025-5947 Security Check</title>
<style>
body { font-family: Arial, sans-serif; max-width: 1200px; margin: 20px auto; padding: 20px; background: #f5f5f5; }
.container { background: white; padding: 20px; border-radius: 8px; box-shadow: 0 2px 4px rgba(0,0,0,0.1); }
h1 { color: #333; border-bottom: 3px solid #0073aa; padding-bottom: 10px; }
h2 { color: #0073aa; margin-top: 30px; }
.critical { background: #dc3232; color: white; padding: 15px; border-radius: 5px; margin: 10px 0; }
.warning { background: #ffb900; color: #000; padding: 15px; border-radius: 5px; margin: 10px 0; }
.success { background: #46b450; color: white; padding: 15px; border-radius: 5px; margin: 10px 0; }
.info { background: #00a0d2; color: white; padding: 15px; border-radius: 5px; margin: 10px 0; }
table { width: 100%; border-collapse: collapse; margin: 15px 0; }
th, td { padding: 10px; text-align: left; border-bottom: 1px solid #ddd; }
th { background: #0073aa; color: white; }
tr:hover { background: #f9f9f9; }
.code { background: #f4f4f4; padding: 10px; border-left: 4px solid #0073aa; font-family: monospace; overflow-x: auto; }
.recommendations { background: #fffbcc; padding: 15px; border-left: 4px solid #ffb900; margin: 20px 0; }
.badge { display: inline-block; padding: 3px 8px; border-radius: 3px; font-size: 12px; font-weight: bold; }
.badge-critical { background: #dc3232; color: white; }
.badge-warning { background: #ffb900; color: black; }
.badge-success { background: #46b450; color: white; }
</style>
</head>
<body>
<div class="container">
<h1>๐ก๏ธ CVE-2025-5947 Security Check</h1>
<p><strong>Vulnerability:</strong> Service Finder Bookings Authentication Bypass</p>
<p><strong>CVSS Score:</strong> 9.8 (Critical)</p>
<p><strong>Scan Time:</strong> <?php echo date('Y-m-d H:i:s'); ?></p>
<?php
// Load WordPress
define('WP_USE_THEMES', false);
if (file_exists('./wp-load.php')) {
require_once('./wp-load.php');
} else {
die('<div class="critical">ERROR: Could not find wp-load.php. Make sure this script is in your WordPress root directory.</div></body></html>');
}
// Initialize results
$results = [
'vulnerable' => false,
'version' => null,
'theme_active' => false,
'function_exists' => false,
'exploitation_attempts' => [],
'recommendations' => []
];
echo "<h2>๐ Installation Check</h2>";
// Check if Service Finder theme exists
$theme = wp_get_theme('service-finder');
if ($theme->exists()) {
$version = $theme->get('Version');
$results['version'] = $version;
$results['theme_active'] = (get_template() === 'service-finder' || get_stylesheet() === 'service-finder');
echo "<table>";
echo "<tr><th>Check</th><th>Status</th><th>Details</th></tr>";
echo "<tr><td>Theme Installed</td><td><span class='badge badge-warning'>YES</span></td><td>Service Finder theme found</td></tr>";
echo "<tr><td>Theme Active</td><td><span class='badge " . ($results['theme_active'] ? 'badge-warning' : 'badge-success') . "'>" . ($results['theme_active'] ? 'YES' : 'NO') . "</span></td><td>" . ($results['theme_active'] ? 'Theme is currently active' : 'Theme installed but not active') . "</td></tr>";
echo "<tr><td>Version</td><td><span class='badge badge-warning'>{$version}</span></td><td>";
// Check if version is vulnerable
if (version_compare($version, '6.1', '<')) {
$results['vulnerable'] = true;
echo "โ ๏ธ VULNERABLE - Version is below 6.1";
} else {
echo "โ
Patched - Version 6.1 or higher";
}
echo "</td></tr>";
echo "</table>";
} else {
echo "<div class='success'>โ
Service Finder theme is NOT installed on this site.</div>";
}
// Check for vulnerable function in theme files
echo "<h2>๐ Code Analysis</h2>";
$theme_path = get_theme_root() . '/service-finder';
$vulnerable_file = $theme_path . '/inc/service_finder_switch_back.php';
$functions_file = $theme_path . '/functions.php';
if (file_exists($theme_path)) {
echo "<table>";
echo "<tr><th>File</th><th>Status</th><th>Details</th></tr>";
// Check for the vulnerable function
$function_found = false;
$files_to_check = [$vulnerable_file, $functions_file];
// Also check all PHP files in inc directory
if (is_dir($theme_path . '/inc')) {
$inc_files = glob($theme_path . '/inc/*.php');
$files_to_check = array_merge($files_to_check, $inc_files);
}
foreach ($files_to_check as $file) {
if (file_exists($file)) {
$content = file_get_contents($file);
if (strpos($content, 'service_finder_switch_back') !== false) {
$function_found = true;
$results['function_exists'] = true;
// Check if it has proper validation
$has_validation = (strpos($content, 'wp_verify_nonce') !== false ||
strpos($content, 'check_ajax_referer') !== false ||
strpos($content, 'current_user_can') !== false);
echo "<tr><td>" . basename($file) . "</td>";
echo "<td><span class='badge " . ($has_validation ? "badge-warning" : "badge-critical") . "'>" . ($has_validation ? "FOUND" : "VULNERABLE") . "</span></td>";
echo "<td>" . ($has_validation ? "Function found with some validation" : "โ ๏ธ Function found WITHOUT proper validation") . "</td></tr>";
}
}
}
if (!$function_found) {
echo "<tr><td>Vulnerable Function</td><td><span class='badge badge-success'>NOT FOUND</span></td><td>service_finder_switch_back() not detected</td></tr>";
}
echo "</table>";
} else {
echo "<div class='info'>Theme directory not found for detailed code analysis.</div>";
}
// Check for exploitation attempts in logs
echo "<h2>๐จ Log Analysis</h2>";
// Check access logs if available
$log_locations = [
'/var/log/apache2/access.log',
'/var/log/httpd/access_log',
'/var/log/nginx/access.log',
$_SERVER['DOCUMENT_ROOT'] . '/../logs/access.log',
ABSPATH . 'access.log'
];
$exploitation_patterns = [
'switch_back=1',
'original_user_id=',
'/?switch_back',
'wp-admin.*switch_back'
];
$total_attempts = 0;
$logs_checked = 0;
foreach ($log_locations as $log_file) {
if (file_exists($log_file) && is_readable($log_file)) {
$logs_checked++;
echo "<div class='info'>Checking log: {$log_file}</div>";
// Read last 10000 lines of log file
$lines = [];
$fp = fopen($log_file, 'r');
if ($fp) {
// Seek to end and read backwards
fseek($fp, -1, SEEK_END);
$line_count = 0;
$lines_to_read = 10000;
$pos = ftell($fp);
$line = '';
while ($pos > 0 && $line_count < $lines_to_read) {
$char = fgetc($fp);
if ($char === "\n") {
if (trim($line) !== '') {
$lines[] = strrev($line);
$line_count++;
}
$line = '';
} else {
$line .= $char;
}
$pos--;
fseek($fp, $pos);
}
if ($line !== '') {
$lines[] = strrev($line);
}
fclose($fp);
// Check each line for exploitation patterns
foreach ($lines as $log_line) {
foreach ($exploitation_patterns as $pattern) {
if (stripos($log_line, $pattern) !== false) {
$total_attempts++;
$results['exploitation_attempts'][] = [
'line' => substr($log_line, 0, 200),
'file' => $log_file
];
break;
}
}
}
}
}
}
if ($logs_checked === 0) {
echo "<div class='warning'>โ ๏ธ Could not access server logs. Check manually at your hosting control panel.</div>";
echo "<p>Common log locations:</p>";
echo "<ul>";
foreach ($log_locations as $loc) {
echo "<li><code>{$loc}</code></li>";
}
echo "</ul>";
} else {
echo "<div class='info'>Checked {$logs_checked} log file(s)</div>";
}
if ($total_attempts > 0) {
echo "<div class='critical'>๐จ ALERT: Found {$total_attempts} potential exploitation attempt(s)!</div>";
if (count($results['exploitation_attempts']) > 0) {
echo "<h3>Recent Suspicious Requests:</h3>";
echo "<table>";
echo "<tr><th>#</th><th>Log Entry</th></tr>";
$shown = 0;
foreach ($results['exploitation_attempts'] as $idx => $attempt) {
if ($shown >= 10) break; // Show only first 10
echo "<tr><td>" . ($idx + 1) . "</td><td><code>" . htmlspecialchars($attempt['line']) . "</code></td></tr>";
$shown++;
}
if (count($results['exploitation_attempts']) > 10) {
echo "<tr><td colspan='2'><em>... and " . (count($results['exploitation_attempts']) - 10) . " more entries</em></td></tr>";
}
echo "</table>";
}
} else {
echo "<div class='success'>โ
No obvious exploitation attempts found in accessible logs (checked last 10,000 lines)</div>";
}
// Check WordPress user accounts for suspicious activity
echo "<h2>๐ฅ User Account Analysis</h2>";
$users = get_users(['role__in' => ['administrator', 'editor']]);
echo "<table>";
echo "<tr><th>User</th><th>Role</th><th>Registered</th><th>Last Login</th></tr>";
foreach ($users as $user) {
$last_login = get_user_meta($user->ID, 'last_login', true);
echo "<tr>";
echo "<td>{$user->user_login}</td>";
echo "<td>" . implode(', ', $user->roles) . "</td>";
echo "<td>" . date('Y-m-d H:i:s', strtotime($user->user_registered)) . "</td>";
echo "<td>" . ($last_login ? date('Y-m-d H:i:s', $last_login) : 'Unknown') . "</td>";
echo "</tr>";
}
echo "</table>";
echo "<p><em>Review for any suspicious or unknown administrator accounts</em></p>";
// Final Assessment
echo "<h2>๐ Security Assessment</h2>";
if ($results['vulnerable'] && $results['theme_active']) {
echo "<div class='critical'>";
echo "<h3>๐จ CRITICAL - IMMEDIATE ACTION REQUIRED</h3>";
echo "<p>Your site is ACTIVELY VULNERABLE to CVE-2025-5947!</p>";
echo "</div>";
$results['recommendations'][] = "URGENT: Update Service Finder theme to version 6.1 or later IMMEDIATELY";
$results['recommendations'][] = "Review all administrator accounts for unauthorized access";
$results['recommendations'][] = "Change passwords for all administrator accounts";
$results['recommendations'][] = "Install a security plugin (Wordfence, Sucuri) if not already installed";
$results['recommendations'][] = "Check for malicious code in wp-content/themes and wp-content/plugins";
} elseif ($results['vulnerable'] && !$results['theme_active']) {
echo "<div class='warning'>";
echo "<h3>โ ๏ธ WARNING - Vulnerable Theme Installed</h3>";
echo "<p>Service Finder theme is installed but not active. Still recommended to update or remove.</p>";
echo "</div>";
$results['recommendations'][] = "Update Service Finder theme to version 6.1 or later";
$results['recommendations'][] = "Or remove the theme if not in use";
} elseif (!$theme->exists()) {
echo "<div class='success'>";
echo "<h3>โ
NOT VULNERABLE</h3>";
echo "<p>Service Finder theme is not installed. Your site is not affected by this vulnerability.</p>";
echo "</div>";
} else {
echo "<div class='success'>";
echo "<h3>โ
PATCHED</h3>";
echo "<p>Service Finder theme is updated to a patched version.</p>";
echo "</div>";
}
// Recommendations
if (count($results['recommendations']) > 0) {
echo "<div class='recommendations'>";
echo "<h3>๐ง Recommended Actions</h3>";
echo "<ol>";
foreach ($results['recommendations'] as $rec) {
echo "<li>{$rec}</li>";
}
echo "</ol>";
echo "</div>";
}
// Additional recommendations
echo "<h2>๐ก๏ธ General Security Recommendations</h2>";
echo "<ul>";
echo "<li>Keep WordPress core, themes, and plugins updated</li>";
echo "<li>Use strong, unique passwords for all accounts</li>";
echo "<li>Enable two-factor authentication for administrator accounts</li>";
echo "<li>Install a WordPress security plugin (Wordfence, Sucuri, iThemes Security)</li>";
echo "<li>Regular backup your site</li>";
echo "<li>Limit login attempts</li>";
echo "<li>Monitor your access logs regularly</li>";
echo "<li>Use HTTPS (SSL certificate)</li>";
echo "</ul>";
echo "<div class='critical' style='margin-top: 30px;'>";
echo "<h3>โ ๏ธ IMPORTANT</h3>";
echo "<p><strong>DELETE THIS SCRIPT IMMEDIATELY AFTER RUNNING!</strong></p>";
echo "<p>This security check script should not remain on your server as it could expose information about your WordPress installation.</p>";
echo "</div>";
?>
</div>
</body>
</html>