Description
WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path traversal sequences through the controller GET parameter to include arbitrary files outside the intended controllers directory.
Published: 2026-05-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The cab‑fare‑calculator WordPress plugin version 1.0.3 contains a local file inclusion flaw that can be exploited without authentication. By manipulating the controller GET parameter in tblight.php, an attacker can inject path traversal sequences that cause the plugin to include files outside of its intended controllers directory, allowing arbitrary file reads. This flaw corresponds to CWE‑98 and can expose configuration files, credentials, or other sensitive data stored on the web host, potentially leading to further compromise.

Affected Systems

WordPress sites that have the cab‑fare‑calculator plugin installed, specifically version 1.0.3 released by the vendor cab‑fare‑calculator. No other versions are listed as affected in the available data.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, with the vulnerability being exploitable over the network by any user able to craft a URL to the plugin’s controller endpoint. The EPSS score of <1% indicates a very low but non‑zero exploitation probability, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting no confirmed exploitation yet. However, because the attack does not require authentication, the risk of exploitation remains significant for sites that have not updated the plugin.

Generated by OpenCVE AI on May 26, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the cab‑fare‑calculator plugin to the latest version that removes the insecure controller handling.
  • If an update is unavailable, permanently disable or uninstall the plugin from the WordPress installation.
  • Configure the web server to deny HTTP access to the plugin’s tblight.php file or set strict file permissions on plugin directories to prevent unintended file reads.
  • Validate or sanitize the controller parameter to reject path traversal characters (e.g., no '..' sequences).

Generated by OpenCVE AI on May 26, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path traversal sequences through the controller GET parameter to include and execute files outside the intended controllers directory. WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path traversal sequences through the controller GET parameter to include arbitrary files outside the intended controllers directory.

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Cab-fare-calculator
Cab-fare-calculator cab-fare-calculator
Wordpress
Wordpress wordpress
Vendors & Products Cab-fare-calculator
Cab-fare-calculator cab-fare-calculator
Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path traversal sequences through the controller GET parameter to include and execute files outside the intended controllers directory.
Title WordPress Plugin cab-fare-calculator 1.0.3 Local File Inclusion
First Time appeared Kanev
Kanev cab Fare Calculator
Weaknesses CWE-98
CPEs cpe:2.3:a:kanev:cab_fare_calculator:1.0.3:*:*:*:*:*:*:*
Vendors & Products Kanev
Kanev cab Fare Calculator
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cab-fare-calculator Cab-fare-calculator
Kanev Cab Fare Calculator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:41:21.397Z

Reserved: 2026-01-11T13:34:26.332Z

Link: CVE-2022-50954

cve-icon Vulnrichment

Updated: 2026-05-11T13:15:40.160Z

cve-icon NVD

Status : Deferred

Published: 2026-05-10T13:16:32.917

Modified: 2026-05-26T00:16:46.900

Link: CVE-2022-50954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T02:30:26Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')