Skip to main content
CVE Vulnerability Database

CVE-2025-8898: WordPress Taxi Booking Escalation Flaw

CVE-2025-8898 is a privilege escalation vulnerability in the Taxi Booking Manager for WooCommerce WordPress plugin, allowing unauthenticated attackers to hijack admin accounts. This article covers technical details, risks, and mitigations.

Updated:

CVE-2025-8898 Overview

CVE-2025-8898 is a critical privilege escalation vulnerability in the Taxi Booking Manager for WooCommerce | E-cab plugin for WordPress. The flaw affects all versions up to and including 1.3.0. The plugin fails to validate user capabilities before updating plugin settings and fails to verify user identity before updating account details such as email addresses. Unauthenticated attackers can change any user's email address, including administrators, then trigger a password reset to gain full account access. CVE-2025-54713 is likely a duplicate of this issue.

Critical Impact

Unauthenticated remote attackers can take over administrator accounts on affected WordPress sites, leading to complete site compromise.

Affected Products

  • Taxi Booking Manager for WooCommerce | E-cab plugin for WordPress (all versions ≤ 1.3.0)
  • WordPress sites running the ecab-taxi-booking-manager plugin
  • WooCommerce installations integrated with the vulnerable E-cab plugin

Discovery Timeline

  • 2025-08-16 - CVE-2025-8898 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-8898

Vulnerability Analysis

The vulnerability is classified as Missing Authorization [CWE-862]. The plugin exposes REST API endpoints in MPTBM_Rest_Api.php that update plugin settings and user profile details without proper authorization checks. Attackers can invoke these endpoints without authentication and modify sensitive fields belonging to other users.

The most damaging path involves changing an administrator's registered email address. Once an attacker controls the email field on an administrator account, they can request a password reset. WordPress then sends the reset link to the attacker-controlled inbox, granting full administrative access to the site.

Account takeover at the administrator level allows arbitrary plugin and theme installation, PHP code execution, database access, and persistent backdoor placement. This makes the issue equivalent to remote code execution on the WordPress host.

Root Cause

The plugin's REST API handlers omit two critical checks. First, capability validation (current_user_can()) is missing before privileged operations such as updating plugin settings. Second, identity validation is missing before mutating user records, allowing one caller to update another user's data. The endpoints accept user identifiers and target email values directly from request input.

Attack Vector

An unauthenticated attacker sends a crafted HTTP request to the vulnerable REST endpoint registered by the plugin. The request specifies a target user identifier (such as the administrator account, typically user ID 1) and a new email address controlled by the attacker. The server processes the request without verifying the caller's identity or capabilities.

After the email is changed, the attacker uses the standard WordPress wp-login.php?action=lostpassword flow to request a password reset, receives the reset link at the attacker-controlled inbox, and authenticates as the administrator.

The vulnerability manifests in REST route handlers within MPTBM_Rest_Api.php. See the WordPress Plugin Changeset for the upstream fix and the Wordfence Vulnerability Report for additional analysis.

Detection Methods for CVE-2025-8898

Indicators of Compromise

  • Unexpected modifications to administrator email addresses in wp_users without a corresponding admin-initiated profile change.
  • Password reset emails delivered to unfamiliar external domains for privileged accounts.
  • Unauthenticated POST or PUT requests to plugin REST routes under /wp-json/ namespaces registered by the E-cab plugin.
  • New administrator accounts, plugin installs, or theme uploads occurring shortly after suspicious REST traffic.

Detection Strategies

  • Review web server access logs for unauthenticated requests targeting REST endpoints exposed by ecab-taxi-booking-manager.
  • Correlate WordPress audit events for user_email changes with the originating IP address and authentication state.
  • Alert on password reset requests for administrator accounts that originate from anomalous geographic locations or user agents.

Monitoring Recommendations

  • Enable WordPress activity logging plugins to capture user profile mutations and REST API calls with caller identity.
  • Forward web and application logs to a centralized SIEM and alert on REST calls to plugin namespaces from unauthenticated sessions.
  • Monitor outbound mail logs for password reset notifications routed to external addresses tied to privileged accounts.

How to Mitigate CVE-2025-8898

Immediate Actions Required

  • Update the Taxi Booking Manager for WooCommerce | E-cab plugin to the latest version above 1.3.0 that contains the fix referenced in changeset 3343878.
  • Audit all administrator and editor accounts for unauthorized email address changes and reset credentials where tampering is suspected.
  • Rotate WordPress secrets in wp-config.php (AUTH_KEY, SECURE_AUTH_KEY, etc.) to invalidate any stolen sessions.
  • Review recently installed plugins, themes, and wp_users entries for attacker-introduced persistence.

Patch Information

The vendor addressed the missing authorization checks in the plugin's REST API handlers. See the WordPress Plugin Changeset for the upstream commit and the WordPress Plugin Information page for the latest release.

Workarounds

  • Deactivate and remove the ecab-taxi-booking-manager plugin until the patched version can be deployed.
  • Block requests to the plugin's REST namespace at the web application firewall (WAF) for unauthenticated callers.
  • Restrict the WordPress REST API to authenticated users via a filter on rest_authentication_errors where business requirements allow.
  • Limit password reset email delivery to known administrative domains using an SMTP relay rule.
bash
# Example: WordPress CLI commands to audit and remediate
wp plugin update ecab-taxi-booking-manager
wp user list --role=administrator --fields=ID,user_login,user_email
wp config shuffle-salts

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.