Skip to main content

Taxi Booking Manager EUVDEUVD-2026-31967

| CVE-2026-25426 MEDIUM
Missing Authorization (CWE-862)
2026-05-26 Patchstack GHSA-3wv3-mxjf-7mwp
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:11 vuln.today
CVE Published
May 26, 2026 - 19:32 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.1.

AnalysisAI

Unauthenticated broken access control in Magepeople Inc.'s Taxi Booking Manager for WooCommerce plugin (versions up to and including 2.0.1) exposes limited information to remote attackers without requiring any credentials or user interaction. The plugin fails to enforce proper authorization checks on one or more endpoints, classified under CWE-862 (Missing Authorization), allowing unauthenticated network requests to access functionality or data that should be restricted. No active exploitation is confirmed (not in CISA KEV) and EPSS stands at 0.03%, indicating low observed exploitation probability at time of analysis.

Technical ContextAI

The affected component is the Taxi Booking Manager for WooCommerce WordPress plugin by Magepeople Inc., identified by CPE cpe:2.3:a:magepeople_inc.:taxi_booking_manager_for_woocommerce:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization) - a class of vulnerability where server-side code performs an action or returns data without verifying that the requesting party has the necessary permission to do so. In the WordPress plugin ecosystem, this commonly manifests as REST API endpoints, AJAX handlers (admin-ajax.php), or admin page callbacks that omit nonce verification or capability checks, allowing any HTTP client to invoke them. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is reachable over the network with no authentication, no special complexity, and no user interaction.

RemediationAI

No exact patched version is confirmed in the available intelligence - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/ecab-taxi-booking-manager/vulnerability/wordpress-taxi-booking-manager-for-woocommerce-plugin-2-0-1-broken-access-control-vulnerability should be consulted directly for the latest fix version. Site administrators should check the WordPress plugin repository for an updated release above 2.0.1 and apply it immediately. If no patch is yet available, a compensating control is to use a Web Application Firewall (WAF) rule to restrict access to the plugin's AJAX or REST endpoints to authenticated sessions only - most WordPress security plugins (e.g., Wordfence, Solid Security) offer endpoint-level access restriction, though this may break legitimate unauthenticated booking flows if those endpoints are part of the customer-facing UI. A secondary measure is to temporarily deactivate the plugin if taxi booking functionality is not business-critical, accepting the trade-off of lost booking capability. The NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-25426 should be monitored for patch confirmation.

Share

EUVD-2026-31967 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy