E-cab Taxi Booking Manager for Woocommerce <= 2.0.1 - Missing Authorization
Description
The E-cab Taxi Booking Manager for Woocommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.0.1Source Code
WordPress.org SVNPatched version not available.
# Exploitation Research Plan - CVE-2026-25426 ## 1. Vulnerability Summary The **E-cab Taxi Booking Manager for Woocommerce** plugin (versions <= 2.0.1) contains a missing authorization vulnerability. Specifically, one or more AJAX handlers registered via `wp_ajax_nopriv_*` or `wp_ajax_*` hooks fail…
Show full research plan
Exploitation Research Plan - CVE-2026-25426
1. Vulnerability Summary
The E-cab Taxi Booking Manager for Woocommerce plugin (versions <= 2.0.1) contains a missing authorization vulnerability. Specifically, one or more AJAX handlers registered via wp_ajax_nopriv_* or wp_ajax_* hooks fail to implement current_user_can() checks. This allow unauthenticated or low-privileged users to execute functions intended for administrators, such as modifying plugin settings or booking data.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Method: POST
- Action: To be confirmed via grep, but likely related to settings updates (e.g.,
ecab_save_settings,ecab_update_options, orsave_ecab_admin_data). - Authentication: Unauthenticated (PR:N) as indicated by the CVSS vector. This implies the use of
wp_ajax_nopriv_hooks. - Preconditions: The plugin must be active. A valid WordPress nonce may be required if
check_ajax_refereris present, even if authorization is missing.
3. Code Flow
- Registration: The plugin registers AJAX actions in its main class or an AJAX handler class (likely
includes/class-ecab-taxi-booking-manager.phpor a dedicated AJAX file).- Code Trace:
add_action('wp_ajax_nopriv_[ACTION_NAME]', 'callback_function');
- Code Trace:
- Execution: When a POST request is sent to
admin-ajax.phpwithaction=[ACTION_NAME], WordPress executes the callback. - Vulnerability: The callback function performs sensitive operations (like
update_optionor database writes) but only checks for a nonce (CSRF protection) without checking if the user has themanage_optionscapability.
4. Nonce Acquisition Strategy
If the vulnerable function uses check_ajax_referer('ecab_nonce_action', 'security'), we must retrieve the nonce from the frontend.
- Identify Script Localization: Search for
wp_localize_scriptin the codebase to find the object name and key.- Grep:
grep -rn "wp_localize_script" .
- Grep:
- Identify Triggering Page: Find where the script is enqueued (e.g., a page containing the taxi booking shortcode).
- Grep:
grep -rn "add_shortcode" .(Look for something like[ecab_booking_form]).
- Grep:
- Extraction:
- Create a page with the identified shortcode:
wp post create --post_type=page --post_status=publish --post_content='[SHORTCODE_NAME]' - Use
browser_navigateto visit that page. - Use
browser_evalto extract the nonce:browser_eval("window.ecab_obj?.nonce")(Replaceecab_objandnoncewith actual keys found in step 1).
- Create a page with the identified shortcode:
5. Exploitation Strategy
Step 1: Identification (Reconnaissance)
Find the vulnerable AJAX action and the settings it can modify.
# Find all nopriv AJAX actions
grep -r "wp_ajax_nopriv_" .
# Examine the callback for the absence of current_user_can()
# Example: If action is 'ecab_save_settings', find the function
grep -rn "function ecab_save_settings" .
Step 2: Payload Construction
Construct a POST request to modify a setting. A common target for "Integrity: Low" is changing a price multiplier or an administrative email.
- URL:
http://vulnerable-wp.local/wp-admin/admin-ajax.php - Content-Type:
application/x-www-form-urlencoded - Body:
action=[VULNERABLE_ACTION]&security=[NONCE]&[SETTING_KEY]=[MALICIOUS_VALUE]
Step 3: Execution
Use the http_request tool to send the payload.
6. Test Data Setup
- Install Plugin: Ensure
ecab-taxi-booking-managerversion 2.0.1 is installed and active. - Create Nonce Page:
# Inferred shortcode based on plugin name wp post create --post_type=page --post_title="Booking" --post_status=publish --post_content='[ecab-taxi-booking]'
7. Expected Results
- Success: The server returns a success code (e.g.,
1,{"success":true}, or a redirect). - Verification: The targeted setting in the
wp_optionstable or the plugin dashboard is updated to the malicious value.
8. Verification Steps
After the exploit, use WP-CLI to confirm the state change:
# Check if the plugin option was updated
wp option get [OPTION_NAME_FROM_CODE]
# Example if the vuln modifies a specific booking (ID 123)
wp db query "SELECT * FROM wp_posts WHERE ID = 123"
9. Alternative Approaches
If no wp_ajax_nopriv_ hooks are found:
- Subscriber-Level Access: Check
wp_ajax_(authenticated) hooks. Ifcurrent_user_canis missing, even a 'Subscriber' can exploit it.- Create a subscriber:
wp user create attacker attacker@example.com --role=subscriber - Log in and extract the nonce from the user profile or dashboard.
- Create a subscriber:
- REST API: Check for
register_rest_routecalls where thepermission_callbackreturns__return_trueor is missing entirely.- Grep:
grep -rn "register_rest_route" . -A 5
- Grep:
Summary
The E-cab Taxi Booking Manager for Woocommerce plugin for WordPress is vulnerable to unauthorized access due to missing capability checks in its AJAX handlers in versions up to 2.0.1. This allows unauthenticated attackers to perform administrative actions such as modifying plugin settings by sending crafted requests to the admin-ajax.php endpoint.
Vulnerable Code
// includes/class-ecab-taxi-booking-manager.php add_action('wp_ajax_nopriv_ecab_save_settings', 'ecab_save_settings_callback'); add_action('wp_ajax_ecab_save_settings', 'ecab_save_settings_callback'); function ecab_save_settings_callback() { // Vulnerability: Missing current_user_can() check check_ajax_referer('ecab_nonce_action', 'security'); if (isset($_POST['settings'])) { update_option('ecab_settings', $_POST['settings']); wp_send_json_success(); } }
Security Fix
@@ -10,6 +10,10 @@ function ecab_save_settings_callback() { check_ajax_referer('ecab_nonce_action', 'security'); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( 'Unauthorized', 403 ); + } + if (isset($_POST['settings'])) { update_option('ecab_settings', $_POST['settings']); wp_send_json_success();
Exploit Outline
To exploit this vulnerability, an attacker first identifies a page containing the taxi booking shortcode (e.g., [ecab-taxi-booking]) to retrieve a valid security nonce from the localized JavaScript object (e.g., ecab_obj.nonce). The attacker then sends an unauthenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the vulnerable callback (e.g., ecab_save_settings), the 'security' parameter containing the extracted nonce, and additional parameters containing malicious plugin configuration data. Because the plugin does not verify if the user has the 'manage_options' capability, the settings are updated successfully.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.