CVE-2022-50954 Overview
CVE-2022-50954 is a local file inclusion (LFI) vulnerability in the WordPress cab-fare-calculator plugin version 1.0.3. The flaw resides in tblight.php, which accepts a controller GET parameter without proper validation. Unauthenticated attackers can supply path traversal sequences through this parameter to include and execute files outside the intended controllers directory. The vulnerability is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). Successful exploitation enables disclosure of sensitive files on the host filesystem and may lead to code execution if attacker-controlled content can be staged on the server.
Critical Impact
Unauthenticated attackers can read arbitrary files on the WordPress host through path traversal in the controller parameter of tblight.php.
Affected Products
- WordPress Plugin cab-fare-calculator version 1.0.3
- WordPress sites with the cab-fare-calculator plugin installed and activated
- Hosting environments serving the vulnerable plugin via PHP
Discovery Timeline
- 2026-05-10 - CVE-2022-50954 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2022-50954
Vulnerability Analysis
The cab-fare-calculator plugin uses a front-controller pattern in tblight.php. The script reads the controller parameter from the query string and uses its value to construct a path to a PHP file that is then included. Because the input is not validated against an allowlist and path traversal sequences are not filtered, an attacker can break out of the intended controllers directory.
By supplying values such as repeated ../ segments, an attacker forces the include statement to resolve to files anywhere on the filesystem that the web server user can read. PHP then evaluates the target as code where applicable, or returns its contents to the requester. Both outcomes provide attack value: configuration files like wp-config.php reveal database credentials and authentication secrets, while log files or uploaded content may be weaponized for code execution.
Root Cause
The root cause is direct concatenation of attacker-controlled input into a PHP include or require statement without sanitization or allowlisting. The plugin does not normalize the path, strip traversal sequences, or restrict the resolved file to a known base directory.
Attack Vector
The attack vector is local per the CVSS 4.0 vector, requiring access to the web application surface but no authentication and no user interaction. An attacker issues an HTTP GET request to tblight.php with a crafted controller parameter containing path traversal sequences. See the VulnCheck Advisory on Local File Inclusion and Exploit-DB #50843 for proof-of-concept details.
Detection Methods for CVE-2022-50954
Indicators of Compromise
- HTTP requests to tblight.php containing controller= with ../ or URL-encoded %2e%2e%2f sequences
- Web server access logs showing requests referencing sensitive files such as wp-config.php, /etc/passwd, or PHP session files via the controller parameter
- Unexpected PHP file inclusions originating from the cab-fare-calculator plugin directory
Detection Strategies
- Inspect WordPress access logs for any GET requests to paths containing cab-fare-calculator/tblight.php with non-standard controller values
- Deploy web application firewall (WAF) signatures that flag path traversal patterns in query strings targeting WordPress plugin endpoints
- Audit installed WordPress plugins and flag any instance of cab-fare-calculator at version 1.0.3 or earlier
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized analytics platform for query-time hunting of LFI patterns
- Alert on PHP include/require errors referencing files outside the plugin's intended directory
- Monitor outbound traffic and file reads from the web server process for access to credential and configuration files
How to Mitigate CVE-2022-50954
Immediate Actions Required
- Deactivate and remove the cab-fare-calculator plugin from all WordPress installations until a fixed version is confirmed
- Block requests to tblight.php containing .., %2e%2e, or absolute path indicators at the WAF or reverse proxy layer
- Rotate any secrets stored in wp-config.php if log analysis indicates the file may have been disclosed
Patch Information
No vendor patch is referenced in the available advisories. Consult the WordPress Plugin Page for the latest release status. Until a patched version is published, removing the plugin is the recommended remediation.
Workarounds
- Remove or rename tblight.php within the plugin directory to break the vulnerable include path
- Restrict access to wp-content/plugins/cab-fare-calculator/ via web server rules that deny direct requests to plugin PHP files
- Apply WAF rules that enforce an allowlist of acceptable controller parameter values
# Example nginx rule to block path traversal in the controller parameter
location ~ /wp-content/plugins/cab-fare-calculator/tblight\.php$ {
if ($args ~* "controller=.*(\.\.|%2e%2e)") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
