cbcvebase.
CVE-2022-1391
published 2022-04-25

CVE-2022-1391: The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.59%
96.0th percentile
The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

Affected

1 ranges
VendorProductVersion rangeFixed in
kanevcab_fare_calculator< 1.0.41.0.4

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/passwd%00&action=1&ajax=1
path/wp-content/plugins/cab-fare-calculator/tblight.php
  • Send a GET request to /wp-content/plugins/cab-fare-calculator/tblight.php with the 'controller' parameter set to a path traversal payload targeting /etc/passwd (null-byte terminated), with action=1 and ajax=1. A successful LFI response will contain the regex pattern 'root:[x*]:0:0' and return HTTP 200.
  • The vulnerable parameter is 'controller', which is passed unsanitized into a PHP require statement, enabling path traversal / Local File Inclusion. Null-byte (%00) is appended to truncate the file extension.
  • ·The null-byte truncation technique (%00) is only effective on PHP versions below 5.3.4, where null bytes terminate file paths. On modern PHP, the payload may need to be adapted.
  • ·Vulnerability affects Cab fare calculator WordPress plugin versions strictly before 1.0.4. Installations at 1.0.4 or later are not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.