CVE-2026-25426

Vulnerability

A missing authorization vulnerability exists in the Magepeople inc. Taxi Booking Manager for WooCommerce plugin (ecab-taxi-booking-manager) for WordPress, affecting versions from n/a through 2.0.1 [1][2]. The plugin fails to properly verify access control security levels, meaning certain functions or API endpoints can be invoked without the required privileges. The vulnerable code path does not enforce authentication or nonce checks for critical actions, making it reachable by any user who can send HTTP requests to the WordPress site.

Exploitation

An attacker does not need any special network position beyond being a regular visitor to the WordPress site. No prior authentication or write access is required; the attack is performed by sending crafted requests to the plugin's endpoints that lack authorization checks [2]. The attacker can probe for misconfigured access control and exploit the missing checks by directly calling the vulnerable functionality, potentially with knowledge of the plugin's REST API or AJAX action names.

Impact

A successful exploit allows an unprivileged attacker to perform actions that should be restricted to higher-privileged users, such as administrators or shop managers [2]. This can lead to unauthorized disclosure of sensitive information, modification of booking settings, or other configuration changes. The impact as assessed is low severity with a CVSS v3 base score of 5.3 (Medium) [2], indicating limited but real confidentiality and integrity impact.

Mitigation

The vendor released version 2.0.2 of the Taxi Booking Manager for WooCommerce on 2026-05-22, which addresses the vulnerability [1][2]. All users should update to version 2.0.2 or later as soon as possible. For those unable to update immediately, Patchstack users can enable auto-updates for vulnerable plugins [2]. No other workarounds are disclosed in the available references. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at this time.