CVE-2025-30839 identifies a missing authorization vulnerability in the Taxi Booking Manager for WooCommerce plugin developed by magepeopleteam, affecting all versions up to and including 1.2.1. The vulnerability arises from incorrectly configured access control security levels within the plugin, which fails to properly verify whether a user is authorized to perform certain actions. This missing authorization flaw can allow an attacker with access to the WooCommerce environment to bypass intended restrictions and execute unauthorized operations related to taxi booking management. These operations could include viewing, modifying, or deleting booking data, potentially leading to data leakage or disruption of service. The vulnerability does not require user interaction but does require the attacker to have some level of access to the WooCommerce backend or the ability to send crafted requests to the plugin's endpoints. No public exploits have been reported yet, and no official patches are currently linked, indicating that the vulnerability is newly disclosed. The lack of a CVSS score necessitates an assessment based on the nature of the flaw, which impacts the integrity and confidentiality of booking data and could disrupt business operations. The plugin is used in e-commerce environments that rely on WooCommerce, a widely adopted WordPress plugin for online stores, particularly in regions with strong e-commerce markets. The vulnerability highlights the importance of proper access control implementation in third-party plugins integrated into e-commerce platforms.

The missing authorization vulnerability in the Taxi Booking Manager for WooCommerce plugin can have significant impacts on organizations that rely on this plugin for managing taxi bookings. Unauthorized access could allow attackers to view sensitive customer data, manipulate booking information, or disrupt booking operations, leading to loss of customer trust and potential financial losses. The integrity of booking data could be compromised, resulting in incorrect or fraudulent bookings. Confidentiality breaches could expose personally identifiable information (PII) of customers, raising compliance and privacy concerns. Additionally, disruption of booking services could impact business continuity and customer satisfaction. Since WooCommerce is widely used globally, organizations using this plugin in their e-commerce infrastructure are at risk. The absence of known exploits currently limits immediate widespread impact, but the vulnerability presents a clear attack vector that could be weaponized once exploit code becomes available. The risk is heightened in environments where multiple users have access to the WooCommerce backend or where the plugin is exposed to untrusted users.

Organizations using the Taxi Booking Manager for WooCommerce plugin should immediately review and restrict access to the WooCommerce backend to trusted personnel only. Implement strict role-based access controls (RBAC) to limit who can interact with the plugin’s booking management features. Monitor and audit plugin activity logs for suspicious actions that could indicate exploitation attempts. Since no official patch is currently linked, organizations should contact the vendor (magepeopleteam) to inquire about patch availability or updates addressing this vulnerability. In the interim, consider disabling or uninstalling the plugin if feasible to eliminate the attack surface. Employ web application firewalls (WAFs) with custom rules to detect and block unauthorized requests targeting the plugin’s endpoints. Regularly update all WordPress plugins and core installations to reduce exposure to known vulnerabilities. Finally, educate staff about the risks of unauthorized access and enforce strong authentication mechanisms, such as multi-factor authentication (MFA), for administrative accounts.