Cost Calculator <= 1.4 is vulnerable to Local File Inclusion (LFI) vulnerability

The Cost Calculator WordPress plugin through 1.7 allows authenticated users (Contributor+ in versions < 1.5, and Admin+ in versions <= 1.8) to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout