WP-Safety
CVE-2026-28040

E-cab Taxi Booking Manager for Woocommerce <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
2.0.1
Patched in
8d
Time to patch

Description

The E-cab Taxi Booking Manager for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.0
PublishedApril 23, 2026
Last updatedApril 30, 2026
Affected pluginecab-taxi-booking-manager

What Changed in the Fix

Changes introduced in v2.0.1

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.0.0
Browse source Download .zip
Patched v2.0.1
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-28040 (E-cab Taxi Booking Manager for Woocommerce) ## 1. Vulnerability Summary The **E-cab Taxi Booking Manager for Woocommerce** plugin (versions <= 2.0.0) contains an **Authenticated (Contributor+) Stored Cross-Site Scripting (XSS)** vulnerability. The flaw …

Show full research plan

Exploitation Research Plan: CVE-2026-28040 (E-cab Taxi Booking Manager for Woocommerce)

1. Vulnerability Summary

The E-cab Taxi Booking Manager for Woocommerce plugin (versions <= 2.0.0) contains an Authenticated (Contributor+) Stored Cross-Site Scripting (XSS) vulnerability. The flaw exists in the handling of REST API key generation via AJAX. Specifically, the mptbm_generate_api_key AJAX action does not properly sanitize the "Key Name" provided by the user and lacks adequate capability checks, allowing low-privileged users (Contributor+) to store malicious scripts. These scripts execute when an administrator views the "API Documentation" page.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: mptbm_generate_api_key
  • Vulnerable Parameter: name
  • Authentication: Authenticated, Contributor-level user or higher.
  • Preconditions: The "API Documentation" page must exist (registered in MPTBM_API_Documentation::add_documentation_menu). The attacker must be logged in as a Contributor.

3. Code Flow

  1. Entry Point: A Contributor sends a POST request to admin-ajax.php with the action mptbm_generate_api_key.
  2. Hook Registration: In `Admin/MPTBM_
Research Findings
Static analysis — not yet PoC-verified

Summary

The E-cab Taxi Booking Manager for Woocommerce plugin is vulnerable to Stored Cross-Site Scripting via the 'Key Name' parameter in its REST API key generation feature. Authenticated attackers with Contributor-level permissions or higher can inject arbitrary scripts into the database, which execute when an administrator views the API Documentation page.

Vulnerable Code

/* Admin/MPTBM_API_Documentation.php (Version 2.0.0) */

// Line 18-20: Registration of AJAX handlers for API key management
add_action('wp_ajax_mptbm_generate_api_key', array($this, 'ajax_generate_api_key'));
add_action('wp_ajax_mptbm_revoke_api_key', array($this, 'ajax_revoke_api_key'));
add_action('wp_ajax_mptbm_get_api_keys', array($this, 'ajax_get_api_keys'));

---

// Line 75-78: UI component where the vulnerable 'name' input is collected
<div class="generate-key-form">
    <h3><?php esc_html_e('Generate New API Key', 'ecab-taxi-booking-manager'); ?></h3>
    <form id="generate-api-key-form">
        <table class="form-table">
            <tr>
                <th><label for="api-key-name"><?php esc_html_e('Key Name', 'ecab-taxi-booking-manager'); ?></label></th>
                <td><input type="text" id="api-key-name" name="name" class="regular-text" placeholder="<?php esc_attr_e('My Mobile App', 'ecab-taxi-booking-manager'); ?>" required></td>
            </tr>

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/ecab-taxi-booking-manager/2.0.0/Admin/MPTBM_API_Documentation.php /home/deploy/wp-safety.org/data/plugin-versions/ecab-taxi-booking-manager/2.0.1/Admin/MPTBM_API_Documentation.php
--- /home/deploy/wp-safety.org/data/plugin-versions/ecab-taxi-booking-manager/2.0.0/Admin/MPTBM_API_Documentation.php	2025-12-23 08:49:46.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/ecab-taxi-booking-manager/2.0.1/Admin/MPTBM_API_Documentation.php	2026-02-26 15:30:28.000000000 +0000
@@ -31,7 +31,12 @@
         }
         
         public function enqueue_documentation_assets($hook) {
-            if ($hook !== 'mptbm_rent_page_mptbm_api_docs') {
+            // Check if we're on the API documentation page
+            // The hook suffix can vary, so we check for the page parameter
+            $cpt = MPTBM_Function::get_cpt();
+            $expected_hook = $cpt . '_page_mptbm_api_docs';
+            
+            if ($hook !== $expected_hook && strpos($hook, 'mptbm_api_docs') === false) {
                 return;
             }
             
@@ -73,7 +78,7 @@
                         <div class="api-keys-manager">
                             <div class="generate-key-form">
                                 <h3><?php esc_html_e('Generate New API Key', 'ecab-taxi-booking-manager'); ?></h3>
-                                <form id="generate-api-key-form">
+                                <form id="generate-api-key-form" action="javascript:void(0);">
                                     <table class="form-table">
                                         <tr>
                                             <th><label for="api-key-name"><?php esc_html_e('Key Name', 'ecab-taxi-booking-manager'); ?></label></th>

Exploit Outline

1. Authenticate to the WordPress site as a Contributor or any user with access to the AJAX endpoints. 2. Locate the REST API documentation nonce (localized as 'nonce' in the 'mptbm-api-docs' script data). 3. Send a POST request to `/wp-admin/admin-ajax.php` with the action set to `mptbm_generate_api_key`. 4. In the `name` parameter, include an XSS payload (e.g., `<script>alert(document.domain)</script>`). 5. Include necessary parameters like `permissions[]` (e.g., `read`) and the extracted nonce. 6. The plugin stores this key name in the database without sanitization. 7. When an Administrator logs in and visits the 'API Documentation' page (registered under the plugin's CPT menu), the malicious script will be fetched via `ajax_get_api_keys` and rendered in the browser, triggering the script execution.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca2c966-cea4-426b-9c70-5cb98fc1d125?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database