CVE-2026-25426 Overview
CVE-2026-25426 is a Missing Authorization vulnerability [CWE-862] in the Magepeople Taxi Booking Manager for WooCommerce plugin for WordPress. The flaw affects all plugin versions up to and including 2.0.1. The vulnerability stems from incorrectly configured access control security levels on plugin endpoints. Unauthenticated attackers can exploit this issue over the network without user interaction. Successful exploitation results in limited disclosure of information that should be restricted by access controls.
Critical Impact
Unauthenticated network attackers can bypass access control checks in the Taxi Booking Manager for WooCommerce plugin to access functionality or data that should require authorization.
Affected Products
- Magepeople Taxi Booking Manager for WooCommerce plugin for WordPress
- All versions from n/a through 2.0.1
- WordPress sites using the ecab-taxi-booking-manager plugin
Discovery Timeline
- 2026-05-26 - CVE-2026-25426 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-25426
Vulnerability Analysis
The vulnerability is classified as Missing Authorization under [CWE-862]. The Taxi Booking Manager for WooCommerce plugin exposes functionality without verifying that the requesting user has the required permissions. The flaw is reachable over the network with low attack complexity and no privileges or user interaction required.
The impact is limited to confidentiality. An attacker can read data that should be restricted, but cannot directly modify data or affect availability through this specific issue. The EPSS probability is low at the time of disclosure, indicating limited observed exploitation interest.
WordPress plugins commonly implement administrative or booking-related actions through AJAX handlers or REST endpoints. When these handlers omit current_user_can() checks or rely solely on is_user_logged_in(), unauthenticated callers can invoke them directly. The Patchstack advisory documents this as a broken access control issue in the plugin.
Root Cause
The root cause is missing or incomplete authorization logic on one or more plugin endpoints. The code performs the requested action without verifying capability or role membership. Access control security levels are incorrectly configured, allowing requests from users who should not have permission.
Attack Vector
An attacker sends crafted HTTP requests directly to the vulnerable plugin endpoints exposed by a WordPress site running Taxi Booking Manager for WooCommerce version 2.0.1 or earlier. No authentication is required. The attacker receives data or triggers functionality intended for authorized users only.
No verified public proof-of-concept code is available. Refer to the Patchstack Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-25426
Indicators of Compromise
- Unauthenticated HTTP requests to wp-admin/admin-ajax.php with action parameters belonging to the ecab-taxi-booking-manager plugin.
- Requests to plugin REST routes or AJAX handlers originating from external IPs without preceding authentication cookies.
- Anomalous volume of GET or POST requests targeting booking-related plugin endpoints from a single source.
Detection Strategies
- Inventory WordPress installations and identify sites running the Taxi Booking Manager for WooCommerce plugin at version 2.0.1 or earlier.
- Review web server access logs for requests to plugin endpoints lacking valid wordpress_logged_in_* cookies.
- Deploy a Web Application Firewall (WAF) rule that flags unauthenticated access to plugin AJAX actions associated with administrative or booking data.
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized SIEM for correlation against the plugin path.
- Alert on bursts of admin-ajax.php requests with plugin-specific action values from unauthenticated sessions.
- Track outbound responses with unusual sizes from plugin endpoints, which may indicate data enumeration.
How to Mitigate CVE-2026-25426
Immediate Actions Required
- Identify all WordPress sites running the Taxi Booking Manager for WooCommerce plugin and confirm the installed version.
- Apply the vendor-supplied patch as soon as a fixed release becomes available on the WordPress plugin repository.
- Restrict access to the affected plugin endpoints at the WAF or reverse proxy layer until a patched version is deployed.
- Audit existing booking data for signs of unauthorized access or enumeration.
Patch Information
At the time of publication, the advisory lists affected versions from n/a through 2.0.1. Monitor the Patchstack Vulnerability Report and the official WordPress plugin page for a fixed release. Upgrade to the patched version once published by Magepeople.
Workarounds
- Deactivate and remove the Taxi Booking Manager for WooCommerce plugin until a fixed version is available if the booking functionality is non-essential.
- Block unauthenticated access to plugin AJAX and REST endpoints using WAF rules or server-level access controls.
- Restrict access to the WordPress site by IP allowlisting where operationally feasible.
- Enforce least privilege on WordPress user roles and review plugin permissions configuration.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
