CVE-2026-25426 Magepeople inc. CVE debrief

Who should care

WordPress site administrators using the Taxi Booking Manager for WooCommerce plugin; WooCommerce store operators; security teams managing WordPress plugin inventories; hosting providers offering WordPress managed services

Technical summary

The Taxi Booking Manager for WooCommerce plugin (versions through 2.0.1) contains a Missing Authorization vulnerability classified as CWE-862. The vulnerability stems from broken access control mechanisms that fail to properly validate user permissions before granting access to restricted functionality. With a CVSS 3.1 score of 5.3 (MEDIUM), the vulnerability has network attack vector, low attack complexity, requires no privileges, and no user interaction. The impact is limited to low confidentiality impact with no integrity or availability impact. The plugin vendor is Magepeople inc.

Defensive priority

medium

Recommended defensive actions

• Upgrade Taxi Booking Manager for WooCommerce plugin to a version newer than 2.0.1
• Review WordPress user role permissions and principle of least privilege
• Implement Web Application Firewall (WAF) rules to detect and block unauthorized access attempts to plugin endpoints
• Monitor access logs for anomalous requests to plugin administrative functions
• Conduct security assessment of other Magepeople inc. plugins for similar access control weaknesses

Evidence notes

Vulnerability identified by Patchstack and reported to CVE.org. NVD status is currently 'Deferred'. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Official resources