CVE-2025-8898
Published: 16 August 2025
Summary
CVE-2025-8898 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly preventing unauthenticated attackers from updating user email addresses and plugin settings via missing capability checks.
AC-2 requires proper management and authorization of account changes, such as email addresses, mitigating unauthorized modifications that enable password resets and account takeover.
AC-6 enforces least privilege on plugin processes and REST API endpoints, limiting the ability to perform privileged actions like arbitrary user updates even if initial checks fail.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of unauthenticated REST endpoints in public-facing WordPress plugin enables initial access (T1190), leads to unauthorized account email modification for takeover (T1098), and achieves privilege escalation to admin control (T1068).
NVD Description
The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior…
more
to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. CVE-2025-54713 is likely a duplicate of this issue.
Deeper analysisAI
CVE-2025-8898 is a privilege escalation vulnerability via account takeover in the Taxi Booking Manager for WooCommerce | E-cab plugin for WordPress, affecting all versions up to and including 1.3.0. The issue arises because the plugin fails to properly validate a user's capabilities before updating plugin settings or their identity before modifying details such as email addresses. This flaw, mapped to CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-08-16.
Unauthenticated attackers can exploit the vulnerability remotely with low complexity and no user interaction. By targeting the plugin's REST API endpoints, they can change the email addresses of arbitrary users, including administrators, then use the altered email to trigger password resets and fully take over those accounts, enabling site-wide control.
Advisories and references, including Wordfence's threat intelligence report, detail the issue and urge updating the plugin. A patch addressing the authorization checks appears in WordPress plugin trac changeset 3343878 at MPTBM_Rest_Api.php, with the official plugin page available for downloads. CVE-2025-54713 is noted as a likely duplicate.
Details
- CWE(s)