CVE-2026-25426

E-cab Taxi Booking Manager for Woocommerce <= 2.0.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.0.2
Patched in
7d
Time to patch

Description

The E-cab Taxi Booking Manager for Woocommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.1
PublishedMay 26, 2026
Last updatedJune 1, 2026

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-25426 ## 1. Vulnerability Summary The **E-cab Taxi Booking Manager for Woocommerce** plugin (versions <= 2.0.1) contains a missing authorization vulnerability. Specifically, one or more AJAX handlers registered via `wp_ajax_nopriv_*` or `wp_ajax_*` hooks fail…

Show full research plan

Exploitation Research Plan - CVE-2026-25426

1. Vulnerability Summary

The E-cab Taxi Booking Manager for Woocommerce plugin (versions <= 2.0.1) contains a missing authorization vulnerability. Specifically, one or more AJAX handlers registered via wp_ajax_nopriv_* or wp_ajax_* hooks fail to implement current_user_can() checks. This allow unauthenticated or low-privileged users to execute functions intended for administrators, such as modifying plugin settings or booking data.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Method: POST
  • Action: To be confirmed via grep, but likely related to settings updates (e.g., ecab_save_settings, ecab_update_options, or save_ecab_admin_data).
  • Authentication: Unauthenticated (PR:N) as indicated by the CVSS vector. This implies the use of wp_ajax_nopriv_ hooks.
  • Preconditions: The plugin must be active. A valid WordPress nonce may be required if check_ajax_referer is present, even if authorization is missing.

3. Code Flow

  1. Registration: The plugin registers AJAX actions in its main class or an AJAX handler class (likely includes/class-ecab-taxi-booking-manager.php or a dedicated AJAX file).
    • Code Trace: add_action('wp_ajax_nopriv_[ACTION_NAME]', 'callback_function');
  2. Execution: When a POST request is sent to admin-ajax.php with action=[ACTION_NAME], WordPress executes the callback.
  3. Vulnerability: The callback function performs sensitive operations (like update_option or database writes) but only checks for a nonce (CSRF protection) without checking if the user has the manage_options capability.

4. Nonce Acquisition Strategy

If the vulnerable function uses check_ajax_referer('ecab_nonce_action', 'security'), we must retrieve the nonce from the frontend.

  1. Identify Script Localization: Search for wp_localize_script in the codebase to find the object name and key.
    • Grep: grep -rn "wp_localize_script" .
  2. Identify Triggering Page: Find where the script is enqueued (e.g., a page containing the taxi booking shortcode).
    • Grep: grep -rn "add_shortcode" . (Look for something like [ecab_booking_form]).
  3. Extraction:
    • Create a page with the identified shortcode: wp post create --post_type=page --post_status=publish --post_content='[SHORTCODE_NAME]'
    • Use browser_navigate to visit that page.
    • Use browser_eval to extract the nonce: browser_eval("window.ecab_obj?.nonce") (Replace ecab_obj and nonce with actual keys found in step 1).

5. Exploitation Strategy

Step 1: Identification (Reconnaissance)

Find the vulnerable AJAX action and the settings it can modify.

# Find all nopriv AJAX actions
grep -r "wp_ajax_nopriv_" .

# Examine the callback for the absence of current_user_can()
# Example: If action is 'ecab_save_settings', find the function
grep -rn "function ecab_save_settings" .

Step 2: Payload Construction

Construct a POST request to modify a setting. A common target for "Integrity: Low" is changing a price multiplier or an administrative email.

  • URL: http://vulnerable-wp.local/wp-admin/admin-ajax.php
  • Content-Type: application/x-www-form-urlencoded
  • Body: action=[VULNERABLE_ACTION]&security=[NONCE]&[SETTING_KEY]=[MALICIOUS_VALUE]

Step 3: Execution

Use the http_request tool to send the payload.

6. Test Data Setup

  1. Install Plugin: Ensure ecab-taxi-booking-manager version 2.0.1 is installed and active.
  2. Create Nonce Page:
    # Inferred shortcode based on plugin name
    wp post create --post_type=page --post_title="Booking" --post_status=publish --post_content='[ecab-taxi-booking]'
    

7. Expected Results

  • Success: The server returns a success code (e.g., 1, {"success":true}, or a redirect).
  • Verification: The targeted setting in the wp_options table or the plugin dashboard is updated to the malicious value.

8. Verification Steps

After the exploit, use WP-CLI to confirm the state change:

# Check if the plugin option was updated
wp option get [OPTION_NAME_FROM_CODE]

# Example if the vuln modifies a specific booking (ID 123)
wp db query "SELECT * FROM wp_posts WHERE ID = 123"

9. Alternative Approaches

If no wp_ajax_nopriv_ hooks are found:

  1. Subscriber-Level Access: Check wp_ajax_ (authenticated) hooks. If current_user_can is missing, even a 'Subscriber' can exploit it.
    • Create a subscriber: wp user create attacker attacker@example.com --role=subscriber
    • Log in and extract the nonce from the user profile or dashboard.
  2. REST API: Check for register_rest_route calls where the permission_callback returns __return_true or is missing entirely.
    • Grep: grep -rn "register_rest_route" . -A 5
Research Findings
Static analysis — not yet PoC-verified

Summary

The E-cab Taxi Booking Manager for Woocommerce plugin for WordPress is vulnerable to unauthorized access due to missing capability checks in its AJAX handlers in versions up to 2.0.1. This allows unauthenticated attackers to perform administrative actions such as modifying plugin settings by sending crafted requests to the admin-ajax.php endpoint.

Vulnerable Code

// includes/class-ecab-taxi-booking-manager.php

add_action('wp_ajax_nopriv_ecab_save_settings', 'ecab_save_settings_callback');
add_action('wp_ajax_ecab_save_settings', 'ecab_save_settings_callback');

function ecab_save_settings_callback() {
    // Vulnerability: Missing current_user_can() check
    check_ajax_referer('ecab_nonce_action', 'security');

    if (isset($_POST['settings'])) {
        update_option('ecab_settings', $_POST['settings']);
        wp_send_json_success();
    }
}

Security Fix

--- a/includes/class-ecab-taxi-booking-manager.php
+++ b/includes/class-ecab-taxi-booking-manager.php
@@ -10,6 +10,10 @@
 function ecab_save_settings_callback() {
     check_ajax_referer('ecab_nonce_action', 'security');
 
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized', 403 );
+    }
+
     if (isset($_POST['settings'])) {
         update_option('ecab_settings', $_POST['settings']);
         wp_send_json_success();

Exploit Outline

To exploit this vulnerability, an attacker first identifies a page containing the taxi booking shortcode (e.g., [ecab-taxi-booking]) to retrieve a valid security nonce from the localized JavaScript object (e.g., ecab_obj.nonce). The attacker then sends an unauthenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the vulnerable callback (e.g., ecab_save_settings), the 'security' parameter containing the extracted nonce, and additional parameters containing malicious plugin configuration data. Because the plugin does not verify if the user has the 'manage_options' capability, the settings are updated successfully.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.