A critical authentication bypass vulnerability has been identified in the magepeopleteam Taxi Booking Manager for WooCommerce plugin. This flaw allows an unauthenticated attacker to bypass security controls and gain administrative access to the affected website. Successful exploitation could lead to a complete system compromise, resulting in data theft, financial fraud, and significant operational disruption.

This vulnerability is an authentication bypass that exists due to a flaw in how the plugin handles access to privileged functions. An unauthenticated remote attacker can send a specially crafted request to a specific endpoint or file within the plugin. This request exploits a logic error that fails to properly validate the user's session or permissions, granting the attacker an authenticated session with administrative privileges without requiring valid credentials. This allows the attacker to gain complete control over the WordPress site.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a severe risk to the business. An attacker who successfully exploits this flaw can gain full administrative control of the e-commerce platform. The potential consequences include theft of sensitive customer data (personally identifiable information, order history, payment details), unauthorized financial transactions, website defacement causing significant reputational damage, and using the compromised server to launch further attacks. The operational and financial impact of such a compromise would be substantial.

Immediate Action: Immediately update the magepeopleteam Taxi Booking Manager for WooCommerce plugin to the latest version provided by the vendor. Before and after applying the patch, carefully monitor system and web server access logs for any signs of exploitation, such as the creation of unauthorized administrative accounts or unusual file modifications.

Proactive Monitoring:

• Log Analysis: Review web server (e.g., Apache, Nginx) and application logs for unusual POST or GET requests to plugin-specific PHP files or API endpoints, especially from unknown IP addresses. Look for successful administrative actions (e.g., user creation, plugin modification) that do not correlate with legitimate administrator activity.
• File Integrity Monitoring: Implement file integrity monitoring to detect unauthorized changes to WordPress core files, themes, and plugins.
• User Account Review: Regularly audit WordPress user accounts for any recently created users with administrative privileges that cannot be accounted for.

Compensating Controls:

• Web Application Firewall (WAF): If immediate patching is not feasible, configure a WAF with rules to block malicious requests targeting the vulnerable components of the plugin (virtual patching).
• Access Restriction: If possible, restrict access to the plugin's files at the web server level to prevent direct access by unauthorized users.
• Plugin Deactivation: If the plugin is not critical for business operations, disable and uninstall it until a patch can be safely applied.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for a complete, unauthenticated system compromise, it is imperative that organizations using the affected software apply the vendor-supplied patches immediately. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future exploitation. We strongly recommend prioritizing the patching of this vulnerability across all affected assets without delay to prevent a potential compromise.