CVE-2022-3556 in Cab Fare Calculator Plugin
Summary
by MITRE • 09/05/2024
The Cab fare calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vehicle title setting in versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/11/2025
The vulnerability identified as CVE-2022-3556 resides within the Cab fare calculator plugin for WordPress, specifically targeting versions up to and including 1.1.6. This represents a critical security flaw that exploits stored cross-site scripting vulnerabilities through the vehicle title setting, creating a persistent threat vector that can compromise user sessions and execute malicious code within the context of affected websites. The vulnerability's exploitation requires authenticated access with administrative privileges, making it particularly dangerous in environments where administrative accounts are compromised or where attackers can gain elevated access through other means. The flaw demonstrates poor input validation practices and inadequate output escaping mechanisms that allow attackers to inject malicious scripts that persist in the database and execute whenever affected pages are accessed.
The technical implementation of this vulnerability stems from insufficient sanitization of user input within the vehicle title parameter, which is processed and stored without proper validation or escaping mechanisms. When administrators modify vehicle titles through the plugin's interface, the input fails to undergo adequate filtering to prevent script injection attempts. This weakness aligns with CWE-79, which specifically addresses cross-site scripting vulnerabilities resulting from inadequate input validation and output escaping. The vulnerability's impact is amplified in multi-site WordPress installations where the attack surface expands beyond individual sites to potentially affect entire network ecosystems. Additionally, the condition requiring unfiltered_html to be disabled creates a specific operational context where this vulnerability becomes exploitable, as it relies on the plugin's failure to properly sanitize input even when WordPress core security measures are in place.
The operational impact of CVE-2022-3556 extends beyond simple script execution, as it enables attackers to manipulate the plugin's functionality and potentially gain deeper access to affected systems. When malicious scripts are injected into vehicle titles, they execute in the context of authenticated users who access affected pages, creating opportunities for session hijacking, data exfiltration, and further compromise of the WordPress installation. The vulnerability's restriction to multi-site installations and environments with disabled unfiltered_html means that not all WordPress deployments are equally at risk, but those that meet these criteria face significant exposure. Attackers can leverage this vulnerability to establish persistent backdoors, modify plugin behavior, or redirect users to malicious sites, making it a valuable target for threat actors seeking to maintain long-term access to compromised systems.
Mitigation strategies for CVE-2022-3556 should prioritize immediate plugin updates to versions that address the identified sanitization flaws, as this represents the most direct and effective solution to prevent exploitation. Organizations should also implement comprehensive input validation measures and ensure that all user-supplied data undergoes proper sanitization before being stored or processed within the application. The implementation of Content Security Policy headers can provide additional protection against script execution even if input validation fails, while regular security audits and monitoring of plugin functionality can help identify potential exploitation attempts. Security teams should also consider implementing privileged access controls and regular credential rotation to minimize the impact of potential compromise, as the vulnerability requires administrative privileges to exploit effectively. This vulnerability demonstrates the importance of proper input validation and output escaping practices, as outlined in the OWASP Top Ten and other industry security frameworks, particularly in the context of content management systems where plugins can introduce additional attack vectors.