Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce ecab-taxi-booking-manager allows Authentication Abuse.This issue affects Taxi Booking Manager for WooCommerce: from n/a through <= 1.3.0.
Published: 2025-08-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability described in the CVE allows authentication circumvention by means of an alternate path or channel, giving attackers the ability to assume privileged access in the Taxi Booking Manager for WooCommerce plugin. The weakness is classified as CWE‑288. Attackers could misuse the bypass to create unauthenticated sessions or impersonate authenticated users, resulting in full control over the booking manager section and potentially the entire WordPress admin area.

Affected Systems

The product affected is the Taxi Booking Manager for WooCommerce plugin developed by magepeopleteam. Versions from the earliest release up to and including 1.3.0 are vulnerable. The issue is present in all builds tagged 1.3.0 or earlier, regardless of the underlying WordPress core version.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as critical. The EPSS score is below 1 %, indicating that, relative to all reported exploits, the probability of automated or widespread exploitation is low at this time. The functionality is not listed in CISA KEV. The likely attack vector is through HTTP requests to the plugin’s authentication endpoints, which can be performed remotely. An attacker only needs to identify an alternate path or channel capable of bypassing normal login checks. Once logged in as a privileged user, the attacker can make arbitrary changes within the booking manager content or user data.

Generated by OpenCVE AI on April 30, 2026 at 03:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the Taxi Booking Manager for WooCommerce plugin (1.3.1 or later) from the vendor’s official repository.
  • If an upgrade is not immediately possible, block or limit access to the plugin’s administrative URLs using server‑side access controls or by restricting the pages to users with higher‑level privileges.
  • Monitor the WordPress admin and plugin logs for unknown or repeated access attempts and alert on those events.

Generated by OpenCVE AI on April 30, 2026 at 03:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28564 Authentication Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce allows Authentication Abuse. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 1.3.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce allows Authentication Abuse. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 1.3.0. Authentication Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce ecab-taxi-booking-manager allows Authentication Abuse.This issue affects Taxi Booking Manager for WooCommerce: from n/a through <= 1.3.0.
Title WordPress Taxi Booking Manager for WooCommerce Plugin <= 1.3.0 - Broken Authentication Vulnerability WordPress Taxi Booking Manager for WooCommerce plugin <= 1.3.0 - Broken Authentication vulnerability
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 21 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce allows Authentication Abuse. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 1.3.0.
Title WordPress Taxi Booking Manager for WooCommerce Plugin <= 1.3.0 - Broken Authentication Vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:35.836Z

Reserved: 2025-07-28T10:56:17.343Z

Link: CVE-2025-54713

cve-icon Vulnrichment

Updated: 2025-08-20T13:56:37.709Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:49.220

Modified: 2026-04-23T15:32:52.523

Link: CVE-2025-54713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:30:27Z

Weaknesses