PatchSiren cyber security CVE debrief
CVE-2022-50954 Wordpress CVE debrief
CVE-2022-50954 is a local file inclusion flaw in the WordPress plugin cab-fare-calculator version 1.0.3. An unauthenticated attacker can manipulate the controller parameter in tblight.php to traverse paths outside the intended controllers directory and include unintended files. In practical terms, this can expose sensitive local files on the server and may also enable file inclusion behavior beyond normal plugin scope. The supplied record rates the issue CVSS 6.9 (Medium) and maps it to CWE-98.
- Vendor
- Wordpress
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
WordPress site owners and administrators running cab-fare-calculator 1.0.3, managed hosting teams, and defenders who monitor public WordPress plugin exposure should treat this as relevant. Any environment that cannot quickly verify the installed plugin version should also care.
Technical summary
The supplied NVD/VulnCheck material describes an unauthenticated local file inclusion in tblight.php. The vulnerable input is the controller GET parameter, which can accept path traversal sequences to reach files outside the intended controllers directory. The record identifies CWE-98 and indicates no authentication is required. The references also include the plugin page and a public Exploit-DB entry, supporting that the issue is publicly documented.
Defensive priority
Medium priority. If the plugin is installed, verify whether version 1.0.3 is present and remove, disable, or replace it promptly. Because the flaw is unauthenticated and affects file inclusion, exposed instances deserve near-term remediation.
Recommended defensive actions
- Inventory WordPress sites for the cab-fare-calculator plugin and confirm whether version 1.0.3 is installed.
- Disable or remove the plugin if it is not required for business function.
- If the plugin must remain in use, apply the vendor or maintainer fix if one is available and verify the file inclusion path handling has been corrected.
- Review web logs for requests to tblight.php involving controller parameters and unusual path traversal sequences.
- Check for unexpected file access, configuration exposure, or other signs that local files may have been read.
- Use defense-in-depth controls such as least-privilege file permissions and routine plugin review to reduce impact from future plugin flaws.
Evidence notes
This debrief is based only on the supplied NVD record and its referenced sources. The core vulnerability description comes from the NVD-supplied summary and the VulnCheck advisory reference. The plugin reference at wordpress.org supports product identification, while the Exploit-DB reference indicates public availability of exploit discussion without requiring this debrief to reproduce it.
Official resources
The supplied corpus attributes the issue to VulnCheck disclosure references and shows the NVD record published and modified on 2026-05-10T13:16:32.917Z. The CVE identifier is CVE-2022-50954, but the timestamps provided in this corpus should