Description
The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. CVE-2025-54713 is likely a duplicate of this issue.
Published: 2025-08-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Account Takeover
Action: Immediate Patch
AI Analysis

Impact

The E‑cab Taxi Booking Manager for WooCommerce plugin fails to verify a user’s capabilities before allowing changes to settings or user details. An unauthenticated attacker can alter any user’s email address, including those of administrators. The attacker can then reset that user’s password and assume the account, effectively obtaining full control of the WordPress site. The flaw therefore represents a privilege‑escalation and account‑takeover vulnerability (CWE‑862).

Affected Systems

All installations of the MagePeopleTeam E‑cab Taxi Booking Manager for WooCommerce, version 1.3.0 or earlier, are vulnerable. The issue exists on every WordPress site that runs these plugin versions. Site owners should identify whether their current installation falls into this range.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity. The EPSS score is below 1 %, suggesting low exploitation probability at the time of analysis, and it is not listed in the CISA KEV catalog. This flaw allows an unauthenticated attacker to change any user’s email address, privilege the account and reset passwords. Based on the description, it is inferred that the attacker could use the plugin’s exposed settings or user‑management controls without authentication to carry out the change.

Generated by OpenCVE AI on April 21, 2026 at 03:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the E‑cab Taxi Booking Manager for WooCommerce plugin to the latest available version where the capability checks have been restored.
  • While upgrading, temporarily disable the plugin or block external access to its functionality to prevent unauthorized email changes.
  • Verify that all user accounts have unique, strong passwords and monitor for unexpected account changes or password reset notifications.

Generated by OpenCVE AI on April 21, 2026 at 03:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25073 The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. CVE-2025-54713 is likely a duplicate of this issue.

Mon, 18 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 16 Aug 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Title Taxi Booking Manager for Woocommerce | E-cab <= 1.3.0 - Missing Authorization to Unauthenticated Privilege Escalation via Account Takeover
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:56.208Z

Reserved: 2025-08-12T17:46:43.835Z

Link: CVE-2025-8898

cve-icon Vulnrichment

Updated: 2025-08-18T17:57:11.133Z

cve-icon NVD

Status : Deferred

Published: 2025-08-16T07:15:28.160

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:30:26Z

Weaknesses