Description
The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and the `fbc_flight_domain` and `fbc_app_api` URL components being accepted as user-supplied POST parameters rather than read from admin-configured options. Since the attacker controls both the destination server and the `fbc_app_token` value, the entire fetch-and-upload chain is attacker-controlled — the server never contacts Canto's legitimate API, and the uploaded file originates entirely from the attacker's infrastructure. This makes it possible for unauthenticated attackers to upload arbitrary files (constrained to WordPress-allowed MIME types) to the WordPress uploads directory. Additional endpoints (`detail.php`, `download.php`, `get.php`, `tree.php`) are also directly accessible without authentication and make requests using a user-supplied `app_api` parameter combined with an admin-configured subdomain.
Published: 2026-03-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated File Upload
Action: Immediate Patch
AI Analysis

Impact

The Canto plugin allows unauthenticated users to trigger a file copy routine by POSTing to the /copy‑media.php endpoint without any authentication, nonce, or domain validation. The endpoint accepts the destination domain and API token as user‑supplied parameters and then downloads a file from the attacker‑controlled URL, storing it in the WordPress uploads directory. Because the fetched file originates entirely from the attacker’s infrastructure, a malicious actor can upload arbitrary content—including potentially executable PHP—subject only to WordPress' MIME type restrictions. This capability exposes the site to code execution, data tampering, or entry for further attacks via uploaded files.

Affected Systems

WordPress installations using the Canto plugin version 3.1.1 or earlier. The plugin author, flightbycanto, is the identified vendor, and the vulnerability affects all minor releases up to and including 3.1.1. No specific version numbers beyond the maximum are listed, so any deployment of 3.1.1 or older remains susceptible.

Risk and Exploitability

The CVSS v3 score of 5.3 indicates moderate severity, yet the lack of authentication checks makes exploitation straightforward. EPSS data is not available, and the vulnerability is not listed in CISA's KEV catalog. Attackers can exploit the flaw remotely by sending crafted POST requests to copy‑media.php, bypassing all authorisation controls and uploading files of their choosing. The risk profile is therefore moderate to high, contingent on the attacker’s capability to deliver a malicious file that is allowed by the MIME filter. Proper mitigation is essential to prevent potential code execution or other damage.

Generated by OpenCVE AI on March 21, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Canto plugin to the latest version that removes the unauthenticated copy‑media endpoint or applies the vendor patch for version 3.1.1 and earlier.
  • Verify that the /wp‑content/plugins/canto/includes/lib/copy‑media.php file is no longer publicly accessible; if necessary, restrict access via .htaccess or web‑server configuration to authenticated users only.
  • Review the WordPress uploads directory permissions and restrict executable file uploads by tightening MIME type restrictions or using a plugin to monitor uploads.
  • Monitor server logs for repeated POST attempts to copy‑media.php and investigate any unauthorized files placed in the uploads folder.

Generated by OpenCVE AI on March 21, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Flightbycanto
Flightbycanto canto
Wordpress
Wordpress wordpress
Vendors & Products Flightbycanto
Flightbycanto canto
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and the `fbc_flight_domain` and `fbc_app_api` URL components being accepted as user-supplied POST parameters rather than read from admin-configured options. Since the attacker controls both the destination server and the `fbc_app_token` value, the entire fetch-and-upload chain is attacker-controlled — the server never contacts Canto's legitimate API, and the uploaded file originates entirely from the attacker's infrastructure. This makes it possible for unauthenticated attackers to upload arbitrary files (constrained to WordPress-allowed MIME types) to the WordPress uploads directory. Additional endpoints (`detail.php`, `download.php`, `get.php`, `tree.php`) are also directly accessible without authentication and make requests using a user-supplied `app_api` parameter combined with an admin-configured subdomain.
Title Canto <= 3.1.1 - Missing Authorization to Unauthenticated File Upload
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Flightbycanto Canto
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:59.358Z

Reserved: 2026-02-27T15:12:19.844Z

Link: CVE-2026-3335

cve-icon Vulnrichment

Updated: 2026-03-23T18:23:59.496Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:17:20.780

Modified: 2026-04-24T16:27:44.277

Link: CVE-2026-3335

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:41Z

Weaknesses