Description
WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path traversal sequences through the controller GET parameter to include and execute files outside the intended controllers directory.
Published: 2026-05-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The cab-fare-calculator WordPress plugin version 1.0.3 contains a local file inclusion flaw that is exploitable without authentication. An attacker can manipulate the controller parameter in tblight.php to supply path traversal sequences, enabling inclusion of files outside the intended controllers directory. This can allow the attacker to read sensitive files such as configuration files, credentials, or other secrets stored on the web host, potentially leading to further compromise. The vulnerability is identified as CWE-98.

Affected Systems

WordPress sites that have the cab-fare-calculator plugin installed, specifically version 1.0.3 released by the vendor cab-fare-calculator. No other versions are listed as affected in the available data.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, with the vulnerability being exploitable over the network by any user able to craft a URL to the plugin’s controller endpoint. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting no confirmed exploitation yet. However, because the attack does not require authentication, the risk of exploitation remains significant for sites that have not updated the plugin.

Generated by OpenCVE AI on May 10, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the cab-fare-calculator plugin to the latest version that removes the insecure controller handling.
  • If an update is unavailable, permanently disable or uninstall the plugin from the WordPress installation.
  • Configure the web server to deny HTTP access to the plugin’s tblight.php file or set strict file permissions on plugin directories to prevent unintended file reads.

Generated by OpenCVE AI on May 10, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Cab-fare-calculator
Cab-fare-calculator cab-fare-calculator
Wordpress
Wordpress wordpress
Vendors & Products Cab-fare-calculator
Cab-fare-calculator cab-fare-calculator
Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path traversal sequences through the controller GET parameter to include and execute files outside the intended controllers directory.
Title WordPress Plugin cab-fare-calculator 1.0.3 Local File Inclusion
First Time appeared Kanev
Kanev cab Fare Calculator
Weaknesses CWE-98
CPEs cpe:2.3:a:kanev:cab_fare_calculator:1.0.3:*:*:*:*:*:*:*
Vendors & Products Kanev
Kanev cab Fare Calculator
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cab-fare-calculator Cab-fare-calculator
Kanev Cab Fare Calculator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T13:24:20.647Z

Reserved: 2026-01-11T13:34:26.332Z

Link: CVE-2022-50954

cve-icon Vulnrichment

Updated: 2026-05-11T13:15:40.160Z

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:32.917

Modified: 2026-05-10T13:16:32.917

Link: CVE-2022-50954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:55Z

Weaknesses