Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.1.
AnalysisAI
Unauthenticated broken access control in Magepeople Inc.'s Taxi Booking Manager for WooCommerce plugin (versions up to and including 2.0.1) exposes limited information to remote attackers without requiring any credentials or user interaction. The plugin fails to enforce proper authorization checks on one or more endpoints, classified under CWE-862 (Missing Authorization), allowing unauthenticated network requests to access functionality or data that should be restricted. No active exploitation is confirmed (not in CISA KEV) and EPSS stands at 0.03%, indicating low observed exploitation probability at time of analysis.
Technical ContextAI
The affected component is the Taxi Booking Manager for WooCommerce WordPress plugin by Magepeople Inc., identified by CPE cpe:2.3:a:magepeople_inc.:taxi_booking_manager_for_woocommerce:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization) - a class of vulnerability where server-side code performs an action or returns data without verifying that the requesting party has the necessary permission to do so. In the WordPress plugin ecosystem, this commonly manifests as REST API endpoints, AJAX handlers (admin-ajax.php), or admin page callbacks that omit nonce verification or capability checks, allowing any HTTP client to invoke them. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is reachable over the network with no authentication, no special complexity, and no user interaction.
RemediationAI
No exact patched version is confirmed in the available intelligence - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/ecab-taxi-booking-manager/vulnerability/wordpress-taxi-booking-manager-for-woocommerce-plugin-2-0-1-broken-access-control-vulnerability should be consulted directly for the latest fix version. Site administrators should check the WordPress plugin repository for an updated release above 2.0.1 and apply it immediately. If no patch is yet available, a compensating control is to use a Web Application Firewall (WAF) rule to restrict access to the plugin's AJAX or REST endpoints to authenticated sessions only - most WordPress security plugins (e.g., Wordfence, Solid Security) offer endpoint-level access restriction, though this may break legitimate unauthenticated booking flows if those endpoints are part of the customer-facing UI. A secondary measure is to temporarily deactivate the plugin if taxi booking functionality is not business-critical, accepting the trade-off of lost booking capability. The NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-25426 should be monitored for patch confirmation.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31967
GHSA-3wv3-mxjf-7mwp