CVE-2025-8898
📋 TL;DR
This vulnerability allows unauthenticated attackers to change any user's email address in the Taxi Booking Manager for Woocommerce plugin, including administrators. Attackers can then use password reset functionality to take over accounts and escalate privileges. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Taxi Booking Manager for Woocommerce | E-cab WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise with administrative account takeover leading to data theft, malware injection, defacement, or ransomware deployment.
Likely Case
Administrative account takeover leading to plugin/theme manipulation, user data exposure, and potential e-commerce fraud.
If Mitigated
Limited impact if strong network controls, WAF rules, and monitoring prevent exploitation attempts.
🎯 Exploit Status
Simple API endpoint manipulation with no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.3.0
Vendor Advisory: https://wordpress.org/plugins/ecab-taxi-booking-manager/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Taxi Booking Manager for Woocommerce | E-cab'. 4. Click 'Update Now' if available, or delete and reinstall latest version.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate ecab-taxi-booking-manager
WAF rule blocking
allBlock requests to vulnerable REST API endpoints
🧯 If You Can't Patch
- Implement strict network access controls to limit plugin API exposure
- Enable detailed logging and monitoring for user email change attempts
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed PluginsCheck Version:
wp plugin get ecab-taxi-booking-manager --field=versionVerify Fix Applied:
Confirm plugin version is greater than 1.3.0📡 Detection & Monitoring
Log Indicators:
- Unusual user email modification events
- Multiple failed password reset attempts
- API requests to /wp-json/mptbm/v1/ endpoints from unexpected sources
Network Indicators:
- POST requests to user update endpoints without authentication
- Unusual spikes in password reset emails
SIEM Query:
source="wordpress.log" AND ("email changed" OR "password reset" OR "/mptbm/v1/")