CVE-2022-50954
Local File Inclusion in Cab Fare Calculator WordPress Plugin
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cab-fare-calculator | cab-fare-calculator | 1.0.3 |
| kanev | cab_fare_calculator | 1.0.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information.
Such unauthorized access to sensitive data could lead to violations of data protection regulations like GDPR or HIPAA, which require strict controls on personal and sensitive information.
Therefore, exploitation of this vulnerability may result in non-compliance with these standards due to data breaches or unauthorized data disclosure.
Can you explain this vulnerability to me?
The WordPress Plugin cab-fare-calculator version 1.0.3 contains a local file inclusion vulnerability. This vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the 'controller' GET parameter in the tblight.php file.
Attackers exploit this by supplying path traversal sequences through the 'controller' parameter, which causes the application to include and execute files outside the intended controllers directory. This happens due to improper control of the filename in the PHP include/require statement.
How can this vulnerability impact me? :
This vulnerability can allow attackers to read arbitrary files on the server without authentication. This could lead to exposure of sensitive information stored in files on the server.
Since attackers can include and execute files outside the intended directory, it may also lead to unauthorized code execution or further compromise of the server.
The severity of this vulnerability is rated as medium with a CVSS score of 6.9.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for suspicious HTTP requests that manipulate the 'controller' GET parameter in the tblight.php file with path traversal sequences. Monitoring web server logs for requests containing patterns like '../' or other directory traversal strings targeting tblight.php can help identify exploitation attempts.
A practical approach is to search your web server access logs for requests to tblight.php with the 'controller' parameter containing path traversal sequences.
- grep -i 'tblight.php' /var/log/apache2/access.log | grep 'controller=' | grep '\.\./'
- tcpdump or Wireshark filters to capture HTTP GET requests containing 'controller=' and '../' sequences.
Additionally, scanning the WordPress installation for the presence of the vulnerable plugin version (cab-fare-calculator 1.0.3) can help detect if the system is at risk.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update or remove the vulnerable WordPress plugin cab-fare-calculator version 1.0.3, as it contains the local file inclusion vulnerability.
If an update is not available, consider disabling or uninstalling the plugin to prevent exploitation.
Additionally, restrict access to the tblight.php file or the plugin directory via web server configuration to prevent unauthenticated access.
Implement web application firewall (WAF) rules to block requests containing path traversal sequences in the 'controller' parameter.