CVE-2025-8898: 
WordPress vulnerability analysis and mitigation

The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress contains a critical privilege escalation vulnerability (CVE-2025-8898) affecting all versions up to and including 1.3.0. The vulnerability was discovered and reported by Wordfence, with disclosure on August 16, 2025. This security flaw affects WordPress installations using the E-cab taxi booking plugin (WordPress Plugin, NVD Database).

The vulnerability stems from improper validation of user capabilities prior to updating plugin settings and user identity verification before updating user details like email addresses. The severity is rated as Critical with a CVSS v3.1 Base Score of 9.8 (CRITICAL) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD Database).

The vulnerability allows unauthenticated attackers to modify arbitrary users' email addresses, including administrators. Once an attacker changes an email address, they can leverage WordPress's password reset functionality to gain unauthorized access to user accounts, including those with administrative privileges (NVD Database).

The vulnerability has been patched in version 1.3.1 of the plugin. Users are strongly advised to update to this version immediately. The update includes improvements to the API security and various bug fixes (WordPress Plugin).