Introduction
Attackers can take over any WordPress account, including administrators, on sites running Taxi Booking Manager for WooCommerce up to version 1.3.0. This vulnerability allows unauthenticated users to change email addresses for arbitrary accounts and then reset passwords, resulting in full privilege escalation. Sites using this plugin for taxi and chauffeur booking services are at risk of total compromise if left unpatched.
About the Plugin: Taxi Booking Manager for WooCommerce (also called E-cab) is a specialized WordPress plugin developed by MagePeople Team. It integrates with WooCommerce to provide dynamic taxi and chauffeur booking, fare calculation, payment gateways, and Google Maps support. The plugin is widely used by transportation service providers to manage online bookings directly from their WordPress sites.
Technical Information
CVE-2025-8898 is caused by missing authorization checks in the plugin's REST API endpoints responsible for updating user details and plugin settings. The vulnerable code resides in the plugin's REST API handler (see public diff).
Vulnerability mechanism:
- The plugin exposes API endpoints that allow updates to user details, including email addresses, and plugin settings.
- These endpoints do not verify the capabilities or identity of the requester before processing updates.
- An unauthenticated attacker can send a crafted HTTP request to the vulnerable endpoint, specifying the target user's identifier and a new email address.
- The plugin immediately updates the target user's email address without any validation.
- The attacker then uses the standard WordPress password reset feature. Since the email address is now attacker-controlled, the reset link is sent to the attacker, enabling them to set a new password and gain full access to the account.
- This process works for any user, including those with administrator privileges.
Root cause:
- The vulnerability is classified as CWE-862 (Missing Authorization). The plugin fails to check user capabilities and identity before allowing sensitive operations via its REST API.
- The flaw is present in all versions up to and including 1.3.0.
No public code snippet is available, but the issue is documented in the plugin's REST API handler (see changeset).
Affected Systems and Versions
- Product: Taxi Booking Manager for WooCommerce (E-cab) WordPress plugin
- Affected versions: All versions up to and including 1.3.0
- Any WordPress site with this plugin at or below version 1.3.0 is vulnerable
Vendor Security History
MagePeople Team, the developer of Taxi Booking Manager, has a history of critical vulnerabilities in this product line:
- CVE-2025-30839: Missing authorization in versions up to 1.2.1
- CVE-2025-24661: PHP object injection in versions up to 1.1.8
- CVE-2024-43986: Stored XSS in versions up to 1.0.9
The recurrence of authorization and input validation issues suggests systemic gaps in secure development and testing. Patch response times have varied and the vendor's security maturity is a concern for organizations relying on this plugin for business-critical operations.