This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical flaw in the **E-cab Taxi Booking Manager** plugin for WordPress. <br>β οΈ **Consequences**: Attackers can escalate privileges, leading to full site compromise.β¦
π‘οΈ **Root Cause**: **CWE-862** (Missing Authorization). <br>β **Flaw**: The plugin fails to properly verify user capabilities before executing actions. It trusts user input without checking if they *should* have access.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: **magepeopleteam**'s product: **E-cab Taxi Booking Manager for Woocommerce**. <br>π **Version**: **1.3.0 and earlier**. If you are on this version or older, you are vulnerable.
Q4What can hackers do? (Privileges/Data)
π **Hacker Actions**: <br>π **Privilege Escalation**: Gain admin-level access without proper credentials. <br>π **Data Access**: Full read/write access to sensitive site data.β¦
β‘ **Exploitation Threshold**: **LOW**. <br>π **Network**: Remote (AV:N). <br>π **Auth**: None required (PR:N). <br>π **UI**: No user interaction needed (UI:N). <br>π **Complexity**: Low (AC:L). Easy to exploit!
Q6Is there a public Exp? (PoC/Wild Exploitation)
π« **Public Exploit**: **No**. <br>π **PoC**: None listed in the provided data. <br>π **Status**: While no public PoC exists, the CVSS score suggests it is highly exploitable if discovered.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: <br>1. Check your WordPress plugins list. <br>2. Look for **E-cab Taxi Booking Manager**. <br>3. Verify version is **β€ 1.3.0**. <br>4. Scan for unauthorized API calls in `inc/MPTBM_Rest_Api.php`.
Q8Is it fixed officially? (Patch/Mitigation)
π οΈ **Official Fix**: **Yes**. <br>π **Patch**: Update to the latest version.β¦
π§ **No Patch Workaround**: <br>1. **Deactivate** the plugin immediately if not essential. <br>2. **Delete** the plugin if unused. <br>3. Restrict access to `wp-admin` via IP whitelisting. <br>4.β¦
π₯ **Urgency**: **CRITICAL**. <br>π¨ **Priority**: **IMMEDIATE ACTION**. <br>π‘ **Reason**: Remote, unauthenticated, high impact. Do not wait for a PoC. Patch now!