[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUOylGkr2wr5AZM7oVDyXybehN0YMDELpb-z8dUDTpqM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-28040","e-cab-taxi-booking-manager-for-woocommerce-authenticated-contributor-stored-cross-site-scripting","E-cab Taxi Booking Manager for Woocommerce \u003C= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting","The E-cab Taxi Booking Manager for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","ecab-taxi-booking-manager",null,"\u003C=2.0.0","2.0.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-23 00:00:00","2026-04-30 14:53:16",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9ca2c966-cea4-426b-9c70-5cb98fc1d125?source=api-prod",8,[22,23,24,25,26,27,28,29],"Admin\u002FMPTBM_API_Documentation.php","Admin\u002FMPTBM_CPT.php","Admin\u002FMPTBM_License.php","Admin\u002FMPTBM_Settings.php","Admin\u002FMPTBM_Settings_Global.php","Admin\u002FMPTBM_Wc_Checkout_Billing.php","Admin\u002FMPTBM_Wc_Checkout_Order.php","Admin\u002FMPTBM_Wc_Checkout_Shipping.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-28040 (E-cab Taxi Booking Manager for Woocommerce)\n\n## 1. Vulnerability Summary\nThe **E-cab Taxi Booking Manager for Woocommerce** plugin (versions \u003C= 2.0.0) contains an **Authenticated (Contributor+) Stored Cross-Site Scripting (XSS)** vulnerability. The flaw exists in the handling of REST API key generation via AJAX. Specifically, the `mptbm_generate_api_key` AJAX action does not properly sanitize the \"Key Name\" provided by the user and lacks adequate capability checks, allowing low-privileged users (Contributor+) to store malicious scripts. These scripts execute when an administrator views the \"API Documentation\" page.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `mptbm_generate_api_key`\n- **Vulnerable Parameter:** `name`\n- **Authentication:** Authenticated, Contributor-level user or higher.\n- **Preconditions:** The \"API Documentation\" page must exist (registered in `MPTBM_API_Documentation::add_documentation_menu`). The attacker must be logged in as a Contributor.\n\n## 3. Code Flow\n1. **Entry Point:** A Contributor sends a POST request to `admin-ajax.php` with the action `mptbm_generate_api_key`.\n2. **Hook Registration:** In `Admin\u002FMPTBM_","The E-cab Taxi Booking Manager for Woocommerce plugin is vulnerable to Stored Cross-Site Scripting via the 'Key Name' parameter in its REST API key generation feature. Authenticated attackers with Contributor-level permissions or higher can inject arbitrary scripts into the database, which execute when an administrator views the API Documentation page.","\u002F* Admin\u002FMPTBM_API_Documentation.php (Version 2.0.0) *\u002F\n\n\u002F\u002F Line 18-20: Registration of AJAX handlers for API key management\nadd_action('wp_ajax_mptbm_generate_api_key', array($this, 'ajax_generate_api_key'));\nadd_action('wp_ajax_mptbm_revoke_api_key', array($this, 'ajax_revoke_api_key'));\nadd_action('wp_ajax_mptbm_get_api_keys', array($this, 'ajax_get_api_keys'));\n\n---\n\n\u002F\u002F Line 75-78: UI component where the vulnerable 'name' input is collected\n\u003Cdiv class=\"generate-key-form\">\n    \u003Ch3>\u003C?php esc_html_e('Generate New API Key', 'ecab-taxi-booking-manager'); ?>\u003C\u002Fh3>\n    \u003Cform id=\"generate-api-key-form\">\n        \u003Ctable class=\"form-table\">\n            \u003Ctr>\n                \u003Cth>\u003Clabel for=\"api-key-name\">\u003C?php esc_html_e('Key Name', 'ecab-taxi-booking-manager'); ?>\u003C\u002Flabel>\u003C\u002Fth>\n                \u003Ctd>\u003Cinput type=\"text\" id=\"api-key-name\" name=\"name\" class=\"regular-text\" placeholder=\"\u003C?php esc_attr_e('My Mobile App', 'ecab-taxi-booking-manager'); ?>\" required>\u003C\u002Ftd>\n            \u003C\u002Ftr>","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecab-taxi-booking-manager\u002F2.0.0\u002FAdmin\u002FMPTBM_API_Documentation.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecab-taxi-booking-manager\u002F2.0.1\u002FAdmin\u002FMPTBM_API_Documentation.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecab-taxi-booking-manager\u002F2.0.0\u002FAdmin\u002FMPTBM_API_Documentation.php\t2025-12-23 08:49:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecab-taxi-booking-manager\u002F2.0.1\u002FAdmin\u002FMPTBM_API_Documentation.php\t2026-02-26 15:30:28.000000000 +0000\n@@ -31,7 +31,12 @@\n         }\n         \n         public function enqueue_documentation_assets($hook) {\n-            if ($hook !== 'mptbm_rent_page_mptbm_api_docs') {\n+            \u002F\u002F Check if we're on the API documentation page\n+            \u002F\u002F The hook suffix can vary, so we check for the page parameter\n+            $cpt = MPTBM_Function::get_cpt();\n+            $expected_hook = $cpt . '_page_mptbm_api_docs';\n+            \n+            if ($hook !== $expected_hook && strpos($hook, 'mptbm_api_docs') === false) {\n                 return;\n             }\n             \n@@ -73,7 +78,7 @@\n                         \u003Cdiv class=\"api-keys-manager\">\n                             \u003Cdiv class=\"generate-key-form\">\n                                 \u003Ch3>\u003C?php esc_html_e('Generate New API Key', 'ecab-taxi-booking-manager'); ?>\u003C\u002Fh3>\n-                                \u003Cform id=\"generate-api-key-form\">\n+                                \u003Cform id=\"generate-api-key-form\" action=\"javascript:void(0);\">\n                                     \u003Ctable class=\"form-table\">\n                                         \u003Ctr>\n                                             \u003Cth>\u003Clabel for=\"api-key-name\">\u003C?php esc_html_e('Key Name', 'ecab-taxi-booking-manager'); ?>\u003C\u002Flabel>\u003C\u002Fth>","1. Authenticate to the WordPress site as a Contributor or any user with access to the AJAX endpoints.\n2. Locate the REST API documentation nonce (localized as 'nonce' in the 'mptbm-api-docs' script data).\n3. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action set to `mptbm_generate_api_key`.\n4. In the `name` parameter, include an XSS payload (e.g., `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`).\n5. Include necessary parameters like `permissions[]` (e.g., `read`) and the extracted nonce.\n6. The plugin stores this key name in the database without sanitization.\n7. When an Administrator logs in and visits the 'API Documentation' page (registered under the plugin's CPT menu), the malicious script will be fetched via `ajax_get_api_keys` and rendered in the browser, triggering the script execution.","gemini-3-flash-preview","2026-05-04 18:36:23","2026-05-04 18:37:15",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.0.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fecab-taxi-booking-manager\u002Ftags\u002F2.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fecab-taxi-booking-manager.2.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fecab-taxi-booking-manager\u002Ftags\u002F2.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fecab-taxi-booking-manager.2.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fecab-taxi-booking-manager\u002Ftags"]