CVE-2025-8898 is a critical security vulnerability identified in the E-cab Taxi Booking Manager plugin for WooCommerce, developed by magepeopleteam. This plugin is widely used to facilitate taxi booking services integrated into WordPress e-commerce sites. The vulnerability stems from improper authorization checks (CWE-862) within the plugin's code, allowing unauthenticated attackers to escalate privileges through an account takeover attack. Specifically, the plugin fails to validate a user's capabilities before permitting updates to plugin settings or changes to user details such as email addresses. This flaw enables attackers to arbitrarily modify the email address of any user, including administrators. By changing an administrator’s email, the attacker can trigger a password reset process, effectively gaining full control over the administrator account without any authentication or user interaction. The vulnerability affects all versions of the plugin up to and including version 1.3.0. The CVSS v3.1 base score is 9.8, reflecting a critical severity due to the vulnerability’s network accessibility (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is high, as full administrative access can lead to complete site compromise, data theft, or service disruption. No public exploits have been reported yet, but the severity and ease of exploitation make this a significant threat for any site using this plugin.

For European organizations, the impact of this vulnerability can be severe, especially for businesses relying on the E-cab Taxi Booking Manager plugin to manage transportation services or customer bookings. Compromise of administrator accounts can lead to unauthorized access to sensitive customer data, including personally identifiable information (PII), payment details, and booking histories, which would violate GDPR regulations and potentially result in heavy fines and reputational damage. Additionally, attackers could manipulate booking data, disrupt service availability, or deploy further malware within the compromised WordPress environment. Given the critical nature of the vulnerability, attackers could also leverage compromised sites as pivot points for lateral movement within corporate networks or to launch supply chain attacks targeting customers or partners. The threat is particularly acute for small to medium enterprises (SMEs) in the transportation and logistics sectors that may lack robust cybersecurity defenses or timely patch management processes.

Immediate mitigation requires updating the E-cab Taxi Booking Manager plugin to a patched version once released by the vendor. Until a patch is available, organizations should implement strict access controls on WordPress admin panels, including limiting administrative privileges to trusted personnel only. Employing Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized attempts to modify user email addresses or plugin settings can reduce exposure. Monitoring WordPress logs for suspicious activities such as unexpected email changes or password reset requests is critical for early detection. Organizations should enforce multi-factor authentication (MFA) for all administrator accounts to mitigate the impact of credential compromise. Regular backups of the WordPress environment and database should be maintained to enable rapid recovery in case of compromise. Finally, organizations should conduct security audits of their WordPress plugins and consider isolating critical plugins in sandboxed environments to limit potential damage.