Categories
HC

Hackers Exploit WordPress Theme to Gain Admin Access, Immediately Regret Seeing What’s Been Posted

CYBERSPACE— In what experts are calling “the most disturbing breach since a 2009 Twilight fan forum leak,” threat actors reportedly exploited a critical flaw in the popular Service Finder WordPress theme—only to find themselves instantly overwhelmed by decades of half-finished blog posts, embarrassing stock photos, and desperate “coming soon” pages.

The vulnerability, tracked as CVE-2025-5947, allows hackers to log in as site administrators without authentication—an ability that’s apparently worth less than they imagined.

“We thought we were gaining control of a major job board,” said one attacker, scrolling through a homepage titled ‘Local Handyman Directory – Under Construction Since 2017’. “Instead we found six plugin update nags, 14 broken contact forms, and a homepage banner that still says ‘Happy Holidays 2019.’”

According to Wordfence, more than 13,800 exploitation attempts have been recorded since August 1. However, researchers note that none of those attackers have actually stayed logged in longer than five minutes, citing “existential despair” after discovering the state of most WordPress dashboards.

Meanwhile, site owners are being urged to update to version 6.1 or “just finally switch to Squarespace like they’ve been threatening to since 2018.”

Aonetheme, the vendor of Service Finder, released a patch in July—though many users say they’re “waiting for their developer cousin to have time after finals” to install it.

Security researchers say the easiest way to detect compromise is to look for HTTP requests containing switch_back=1, though experts add that “if your WordPress theme is still called Service Finder, the real vulnerability might be your life choices.”

In response to the surge in attacks, WordPress administrators have been advised to:

  • Block suspicious IP addresses.
  • Check for new accounts.
  • And most importantly, stop using “admin” as their password.

At press time, several hackers had reportedly logged into one compromised site only to find a single blog post titled “Testing 123,” last modified in 2016—by someone who also hadn’t updated their theme.

Secret Link