Cost Calculator <= 1.8 – Authenticated Local File Inclusion | CVE 2021-24820 | Plugin Vulnerabilities

Description

The plugin allows authenticated users (Contributor+ in versions < 1.5, and Admin+ in versions <= 1.8) to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout

Proof of Concept

As a contributor, create a Cost Calculator post, set the Layout to /../../../../../../../../../../file (assuming the file to include is at C:\xampp\file.php and WordPress is installed at C:\xampp\htdocs\wordpress). Save as draft, then embde the calculator using the related shortcode (e.g [nd_cost_calculator id="806"]) and preview the post to trigger the LFI.

Affects Plugins

No known fix

References

CVE

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

47652b24-a6f0-4bbc-834e-496b88523fe7

Timeline

Publicly Published

2022-02-01 (about 3 years ago)

Added

2022-02-01 (about 3 years ago)

Last Updated

2022-05-24 (about 3 years ago)

Other

Published

Title

Published

2015-07-07

Title

S3Bubble Amazon S3 Video And Audio Streaming With Analytics <= 2.0 - Arbitrary File Download

Published

2023-03-06

Title

WP Dark Mode < 4.0.8 - Subscriber+ Local File Inclusion

Published

2025-07-07

Title

Easy Video Player Wordpress & WooCommerce <= 10.0 - Unauthenticated Arbitrary File Download

Published

2015-01-01

Title

Cart66 Pro <= 1.5.3 - Authenticated Arbitrary File Disclosure

Published

2025-08-25

Title

Pro Bulk Watermark Plugin for WordPress <= 2.0 - Authenticated (Subscriber+) Path Traversal