[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4Ihw77l78_vZon8duJgqGzMp8NzbL1jved9MNgObZKE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25426","e-cab-taxi-booking-manager-for-woocommerce-missing-authorization","E-cab Taxi Booking Manager for Woocommerce \u003C= 2.0.1 - Missing Authorization","The E-cab Taxi Booking Manager for Woocommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","ecab-taxi-booking-manager",null,"\u003C=2.0.1","2.0.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-26 00:00:00","2026-06-01 16:28:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F45bd23c5-3894-4483-aa41-851b06c82e98?source=api-prod",7,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-25426\n\n## 1. Vulnerability Summary\nThe **E-cab Taxi Booking Manager for Woocommerce** plugin (versions \u003C= 2.0.1) contains a missing authorization vulnerability. Specifically, one or more AJAX handlers registered via `wp_ajax_nopriv_*` or `wp_ajax_*` hooks fail to implement `current_user_can()` checks. This allow unauthenticated or low-privileged users to execute functions intended for administrators, such as modifying plugin settings or booking data.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** POST\n- **Action:** To be confirmed via grep, but likely related to settings updates (e.g., `ecab_save_settings`, `ecab_update_options`, or `save_ecab_admin_data`).\n- **Authentication:** Unauthenticated (PR:N) as indicated by the CVSS vector. This implies the use of `wp_ajax_nopriv_` hooks.\n- **Preconditions:** The plugin must be active. A valid WordPress nonce may be required if `check_ajax_referer` is present, even if authorization is missing.\n\n## 3. Code Flow\n1. **Registration:** The plugin registers AJAX actions in its main class or an AJAX handler class (likely `includes\u002Fclass-ecab-taxi-booking-manager.php` or a dedicated AJAX file).\n   - *Code Trace:* `add_action('wp_ajax_nopriv_[ACTION_NAME]', 'callback_function');`\n2. **Execution:** When a POST request is sent to `admin-ajax.php` with `action=[ACTION_NAME]`, WordPress executes the callback.\n3. **Vulnerability:** The callback function performs sensitive operations (like `update_option` or database writes) but only checks for a nonce (CSRF protection) without checking if the user has the `manage_options` capability.\n\n## 4. Nonce Acquisition Strategy\nIf the vulnerable function uses `check_ajax_referer('ecab_nonce_action', 'security')`, we must retrieve the nonce from the frontend.\n\n1. **Identify Script Localization:** Search for `wp_localize_script` in the codebase to find the object name and key.\n   - *Grep:* `grep -rn \"wp_localize_script\" .`\n2. **Identify Triggering Page:** Find where the script is enqueued (e.g., a page containing the taxi booking shortcode).\n   - *Grep:* `grep -rn \"add_shortcode\" .` (Look for something like `[ecab_booking_form]`).\n3. **Extraction:**\n   - Create a page with the identified shortcode: `wp post create --post_type=page --post_status=publish --post_content='[SHORTCODE_NAME]'`\n   - Use `browser_navigate` to visit that page.\n   - Use `browser_eval` to extract the nonce: `browser_eval(\"window.ecab_obj?.nonce\")` (Replace `ecab_obj` and `nonce` with actual keys found in step 1).\n\n## 5. Exploitation Strategy\n### Step 1: Identification (Reconnaissance)\nFind the vulnerable AJAX action and the settings it can modify.\n```bash\n# Find all nopriv AJAX actions\ngrep -r \"wp_ajax_nopriv_\" .\n\n# Examine the callback for the absence of current_user_can()\n# Example: If action is 'ecab_save_settings', find the function\ngrep -rn \"function ecab_save_settings\" .\n```\n\n### Step 2: Payload Construction\nConstruct a POST request to modify a setting. A common target for \"Integrity: Low\" is changing a price multiplier or an administrative email.\n- **URL:** `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Body:** `action=[VULNERABLE_ACTION]&security=[NONCE]&[SETTING_KEY]=[MALICIOUS_VALUE]`\n\n### Step 3: Execution\nUse the `http_request` tool to send the payload.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `ecab-taxi-booking-manager` version 2.0.1 is installed and active.\n2. **Create Nonce Page:** \n   ```bash\n   # Inferred shortcode based on plugin name\n   wp post create --post_type=page --post_title=\"Booking\" --post_status=publish --post_content='[ecab-taxi-booking]'\n   ```\n\n## 7. Expected Results\n- **Success:** The server returns a success code (e.g., `1`, `{\"success\":true}`, or a redirect).\n- **Verification:** The targeted setting in the `wp_options` table or the plugin dashboard is updated to the malicious value.\n\n## 8. Verification Steps\nAfter the exploit, use WP-CLI to confirm the state change:\n```bash\n# Check if the plugin option was updated\nwp option get [OPTION_NAME_FROM_CODE]\n\n# Example if the vuln modifies a specific booking (ID 123)\nwp db query \"SELECT * FROM wp_posts WHERE ID = 123\"\n```\n\n## 9. Alternative Approaches\nIf no `wp_ajax_nopriv_` hooks are found:\n1. **Subscriber-Level Access:** Check `wp_ajax_` (authenticated) hooks. If `current_user_can` is missing, even a 'Subscriber' can exploit it.\n   - Create a subscriber: `wp user create attacker attacker@example.com --role=subscriber`\n   - Log in and extract the nonce from the user profile or dashboard.\n2. **REST API:** Check for `register_rest_route` calls where the `permission_callback` returns `__return_true` or is missing entirely.\n   - *Grep:* `grep -rn \"register_rest_route\" . -A 5`","The E-cab Taxi Booking Manager for Woocommerce plugin for WordPress is vulnerable to unauthorized access due to missing capability checks in its AJAX handlers in versions up to 2.0.1. This allows unauthenticated attackers to perform administrative actions such as modifying plugin settings by sending crafted requests to the admin-ajax.php endpoint.","\u002F\u002F includes\u002Fclass-ecab-taxi-booking-manager.php\n\nadd_action('wp_ajax_nopriv_ecab_save_settings', 'ecab_save_settings_callback');\nadd_action('wp_ajax_ecab_save_settings', 'ecab_save_settings_callback');\n\nfunction ecab_save_settings_callback() {\n    \u002F\u002F Vulnerability: Missing current_user_can() check\n    check_ajax_referer('ecab_nonce_action', 'security');\n\n    if (isset($_POST['settings'])) {\n        update_option('ecab_settings', $_POST['settings']);\n        wp_send_json_success();\n    }\n}","--- a\u002Fincludes\u002Fclass-ecab-taxi-booking-manager.php\n+++ b\u002Fincludes\u002Fclass-ecab-taxi-booking-manager.php\n@@ -10,6 +10,10 @@\n function ecab_save_settings_callback() {\n     check_ajax_referer('ecab_nonce_action', 'security');\n \n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( 'Unauthorized', 403 );\n+    }\n+\n     if (isset($_POST['settings'])) {\n         update_option('ecab_settings', $_POST['settings']);\n         wp_send_json_success();","To exploit this vulnerability, an attacker first identifies a page containing the taxi booking shortcode (e.g., [ecab-taxi-booking]) to retrieve a valid security nonce from the localized JavaScript object (e.g., ecab_obj.nonce). The attacker then sends an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to the vulnerable callback (e.g., ecab_save_settings), the 'security' parameter containing the extracted nonce, and additional parameters containing malicious plugin configuration data. Because the plugin does not verify if the user has the 'manage_options' capability, the settings are updated successfully.","gemini-3-flash-preview","2026-06-04 20:42:51","2026-06-04 20:43:36",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","2.0.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fecab-taxi-booking-manager\u002Ftags\u002F2.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fecab-taxi-booking-manager.2.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fecab-taxi-booking-manager\u002Ftags"]