CVE-2025-8898 CRITICAL

CVE-2025-8898: Taxi Booking Manager for Woocommerce | E-cab <= 1.3.0 - Missing Authorization to Unauthenticated Privilege Escalation via Account Takeover

Vendor Magepeopleteam
Product E-cab Taxi Booking Manager for Woocommerce
Weakness CWE-862 · Missing authorization
Published August 16, 2025
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. CVE-2025-54713 is likely a duplicate of this issue.

Explanation of Vulnerability in Simple Terms

02Summary

E-cab Taxi Booking Manager for WooCommerce versions up to 1.3.0 lack proper authorization checks, allowing unauthenticated attackers to access sensitive functionality and data. An attacker can read, modify, or delete bookings, user information, and payment details without logging in. This affects all installations of the plugin without additional access controls.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete taxi bookings and user data without authentication.

Potential impact on your site

04Site Impact

Attackers can access and manipulate all booking and customer data, potentially disrupting service and exposing payment information.

Conditions required to exploit

05Prerequisites

Network access to the WordPress site; no login or user interaction required.

Key dates

06Disclosure timeline

August 16, 2025 CVE published
April 8, 2026 Record updated