CVE-2025-8898: 
WordPress vulnerability analysis and mitigation

The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress contains a privilege escalation vulnerability (CVE-2025-8898) that affects all versions up to and including 1.3.0. The vulnerability was discovered and disclosed on August 16, 2025. This security issue impacts WordPress installations using the E-cab taxi booking plugin (NVD).

The vulnerability stems from improper validation of user capabilities prior to updating plugin settings and user identity verification before updating user details such as email addresses. The severity is rated as CRITICAL with a CVSS v3.1 Base Score of 9.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified under CWE-862 (Missing Authorization) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to change arbitrary users' email addresses, including administrators. This capability can be leveraged to reset user passwords and gain unauthorized access to accounts, potentially leading to complete site compromise (NVD).

The vulnerability has been patched in version 1.3.1 of the plugin. Users are strongly advised to update to this version immediately. The update includes improvements to the API security and various bug fixes (WordPress Plugin).