CVE-2025-8898 Overview
The Taxi Booking Manager for WooCommerce (E-cab) plugin for WordPress contains a critical privilege escalation vulnerability that allows unauthenticated attackers to take over arbitrary user accounts, including administrator accounts. The vulnerability exists in all versions up to and including 1.3.0 due to improper validation of user capabilities and identity verification when updating plugin settings and user details.
Critical Impact
Unauthenticated attackers can change any user's email address, including administrators, then leverage the password reset functionality to gain complete access to the compromised account and take full control of the WordPress site.
Affected Products
- Taxi Booking Manager for WooCommerce (E-cab) plugin versions up to and including 1.3.0
- WordPress installations with the vulnerable plugin activated
- WooCommerce sites utilizing E-cab for taxi booking functionality
Discovery Timeline
- 2025-08-16 - CVE-2025-8898 published to NVD
- 2025-08-18 - Last updated in NVD database
Technical Details for CVE-2025-8898
Vulnerability Analysis
This vulnerability stems from a Missing Authorization flaw (CWE-862) in the plugin's REST API implementation. The affected component, MPTBM_Rest_Api.php, fails to implement proper capability checks before allowing modifications to sensitive user data and plugin settings. When processing requests to update user details, the plugin does not verify whether the requesting party has authorization to perform such actions or whether they are the legitimate owner of the account being modified.
The attack requires no authentication, meaning any remote attacker with network access can exploit this vulnerability. Once an attacker changes a target user's email address to one they control, they can initiate a password reset through WordPress's standard recovery mechanism, receiving the reset link at their controlled email address.
Root Cause
The root cause is the absence of proper authorization checks in the REST API endpoints responsible for user data modification. The plugin fails to call WordPress functions like current_user_can() to verify that the requesting user has appropriate permissions before processing sensitive operations. Additionally, there is no identity verification to ensure users can only modify their own account details, allowing any unauthenticated request to modify any user's information.
Attack Vector
The attack is executed remotely over the network without requiring any authentication or user interaction. An attacker can directly send crafted HTTP requests to the vulnerable REST API endpoint to modify a target user's email address. The exploitation flow involves:
- Identifying a WordPress site using the vulnerable E-cab plugin
- Sending an unauthenticated REST API request to change the administrator's email to an attacker-controlled address
- Using WordPress's password reset functionality to request a new password
- Receiving the password reset link at the attacker's email
- Gaining full access to the administrator account
The vulnerability exists in the plugin's REST API implementation within MPTBM_Rest_Api.php. The endpoint that handles user detail updates lacks proper authorization checks, allowing unauthenticated requests to modify sensitive user data. Attackers can craft malicious API requests to change target users' email addresses without any verification of permissions or identity. For detailed technical analysis, refer to the WordPress Plugin Changeset.
Detection Methods for CVE-2025-8898
Indicators of Compromise
- Unexpected changes to user email addresses, particularly for administrator accounts
- Password reset requests initiated for users who did not request them
- Suspicious REST API requests targeting the E-cab plugin endpoints from unknown IP addresses
- New administrator accounts or modified user privileges without legitimate authorization
Detection Strategies
- Monitor WordPress REST API logs for unauthenticated requests to E-cab plugin endpoints
- Implement alerts for user email address modifications, especially for privileged accounts
- Review access logs for patterns indicating automated exploitation attempts
- Enable WordPress activity logging plugins to track user account changes
Monitoring Recommendations
- Deploy web application firewall (WAF) rules to detect and block malicious REST API requests
- Configure real-time alerting for any administrative account modifications
- Implement SentinelOne Singularity™ for endpoint protection to detect post-exploitation activities
- Regularly audit user accounts for unauthorized changes to email addresses and permissions
How to Mitigate CVE-2025-8898
Immediate Actions Required
- Update the Taxi Booking Manager for WooCommerce (E-cab) plugin to a version newer than 1.3.0 immediately
- Audit all user accounts for unauthorized email address changes since the plugin was installed
- Reset passwords for any accounts that may have been compromised
- Review WordPress access logs for signs of exploitation attempts
- Consider temporarily disabling the plugin if an update is not immediately available
Patch Information
A security patch has been released to address this vulnerability. The fix adds proper authorization checks to the REST API endpoints to ensure only authenticated users with appropriate capabilities can modify user data. The patch can be reviewed in the WordPress Plugin Changeset. Site administrators should update to the latest version available on the WordPress Plugin Directory. Additional vulnerability details are available in the Wordfence Vulnerability Report.
Workarounds
- Restrict access to WordPress REST API endpoints at the web server or firewall level until the plugin can be updated
- Implement additional authentication layers such as HTTP Basic Auth for administrative functions
- Use a WordPress security plugin to add rate limiting and request filtering for REST API calls
- Consider disabling the E-cab plugin entirely until a patched version is confirmed installed
# Configuration example - Apache .htaccess rule to restrict REST API access
# Add to WordPress root .htaccess file to block unauthenticated REST API requests
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/ecab/ [NC]
RewriteCond %{HTTP:Authorization} ^$
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
