CVE-2022-1391
Published: 25 April 2022
Summary
CVE-2022-1391 is a critical-severity Path Traversal (CWE-22) vulnerability in Kanev Cab Fare Calculator. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Cab fare calculator WordPress plugin before version 1.0.4 is affected by a local file inclusion vulnerability (CWE-22). The plugin fails to validate the controller parameter prior to passing it to PHP require statements, allowing path traversal that can include arbitrary local files on the server.
Unauthenticated remote attackers can exploit the flaw over the network by supplying a crafted controller value in requests to the plugin. Successful exploitation yields full control over file inclusion, resulting in disclosure of sensitive files, potential code execution, or other impacts consistent with the CVSS 9.8 rating that covers confidentiality, integrity, and availability.
Public references on WPScan and PacketStorm document the issue and provide proof-of-concept material, while the plugin description indicates that the vulnerability is resolved by upgrading to version 1.0.4 or later.
The EPSS score reached a peak of 0.7368 and currently stands at 0.6671, reflecting sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24708
Vulnerability details
The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.