Cyber Resilience

CVE-2022-1391

CriticalPublic PoC

Published: 25 April 2022

Published
25 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6671 98.6th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1391 is a critical-severity Path Traversal (CWE-22) vulnerability in Kanev Cab Fare Calculator. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Cab fare calculator WordPress plugin before version 1.0.4 is affected by a local file inclusion vulnerability (CWE-22). The plugin fails to validate the controller parameter prior to passing it to PHP require statements, allowing path traversal that can include arbitrary local files on the server.

Unauthenticated remote attackers can exploit the flaw over the network by supplying a crafted controller value in requests to the plugin. Successful exploitation yields full control over file inclusion, resulting in disclosure of sensitive files, potential code execution, or other impacts consistent with the CVSS 9.8 rating that covers confidentiality, integrity, and availability.

Public references on WPScan and PacketStorm document the issue and provide proof-of-concept material, while the plugin description indicates that the vulnerability is resolved by upgrading to version 1.0.4 or later.

The EPSS score reached a peak of 0.7368 and currently stands at 0.6671, reflecting sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

kanev
cab fare calculator
≤ 1.0.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References