Cyber Posture

CVE-2025-24661

High

Published: 03 February 2025

Published
03 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 24.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

Security Summary

CVE-2025-24661 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Taxi Booking Manager for WooCommerce WordPress plugin (ecab-taxi-booking-manager) from magepeopleteam. The flaw enables Object Injection and affects all versions from n/a through 1.1.8, as published on 2025-02-03.

Attackers with low privileges, such as authenticated WordPress users, can exploit this over the network with low attack complexity and no user interaction required. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates high impacts, potentially allowing full compromise of confidentiality, integrity, and availability on affected systems.

The Patchstack advisory provides further details on this PHP Object Injection vulnerability in version 1.1.8 of the plugin.

Details

CWE(s)
CWE-502

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The PHP deserialization/object injection vulnerability in the public-facing WordPress plugin allows low-privileged authenticated attackers to achieve remote code execution and full system compromise over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References