CVE-2025-54713 is a critical authentication bypass vulnerability (CWE-288) identified in the Taxi Booking Manager plugin for WooCommerce developed by magepeopleteam. This vulnerability affects all versions up to and including 1.3.0. The flaw allows an attacker to bypass authentication mechanisms by exploiting an alternate path or communication channel within the plugin. This means that an attacker can gain unauthorized access to the system without valid credentials or user interaction. The vulnerability has a CVSS v3.1 base score of 9.8, indicating a critical severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making exploitation straightforward. The impact is severe, affecting confidentiality, integrity, and availability (C:H/I:H/A:H). Since the plugin integrates with WooCommerce, a widely used e-commerce platform on WordPress, the vulnerability could allow attackers to manipulate booking data, access sensitive customer information, or disrupt service availability. No patches or fixes have been published at the time of this report, and no known exploits are currently observed in the wild. However, the high severity and ease of exploitation make this a significant threat to organizations using this plugin for taxi or ride-booking services.

For European organizations, especially those in the transportation, logistics, and ride-hailing sectors using WooCommerce with the Taxi Booking Manager plugin, this vulnerability poses a substantial risk. Unauthorized access could lead to exposure of personal customer data, including names, contact details, and booking histories, violating GDPR and other data protection regulations. Attackers could manipulate bookings, causing financial losses and reputational damage. The integrity of booking and payment data could be compromised, leading to fraudulent transactions or service disruptions. Availability impacts could result in denial of service to legitimate customers, affecting business continuity. Given the critical nature of the vulnerability and the plugin's integration with e-commerce platforms, organizations could face regulatory penalties and loss of customer trust if exploited.

Immediate mitigation steps include disabling the Taxi Booking Manager plugin until a security patch is released. Organizations should monitor official magepeopleteam channels and trusted vulnerability databases for updates or patches. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin's endpoints can provide temporary protection. Conduct thorough access audits and monitor logs for unusual authentication attempts or access patterns. Restrict network access to the WooCommerce backend to trusted IP addresses where feasible. Additionally, organizations should review and enhance overall WordPress and WooCommerce security practices, including timely updates, strong administrative credentials, and least privilege principles. Once a patch is available, prioritize its deployment and validate the fix through testing. Consider implementing multi-factor authentication (MFA) for administrative access to reduce risk from potential bypasses.