Description
The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp_ajax_updateOptions (class-canto.php line 231) and wp_ajax_fbc_updateOptions (class-canto-settings.php line 76). Both hooks are registered exclusively under the wp_ajax_ prefix (requiring only a logged-in user), with no call to current_user_can() or check_ajax_referer(). This makes it possible for authenticated attackers with subscriber-level access and above to arbitrarily modify or delete plugin options controlling cron scheduling behavior (fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start) and to manipulate or clear the plugin's scheduled WordPress cron event (fbc_scheduled_update).
Published: 2026-04-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Modification of Plugin Settings
Action: Update Plugin
AI Analysis

Impact

The Canto WordPress plugin contains a missing authorization flaw in its AJAX endpoints updateOptions and fbc_updateOptions. The functions have no capability check or nonce validation, allowing any logged‑in user with subscriber rights or higher to call them. This vulnerability lets the attacker alter or delete all plugin configuration parameters that control cron scheduling and the scheduled WordPress cron event. The flaw is mapped to CWE‑862 and can effectively disable or modify the plugin’s scheduled tasks.

Affected Systems

This issue affects the Canto content management plugin for WordPress versions up to 3.1.1. Any WordPress site running that version, regardless of other plugins or theme, is vulnerable.

Risk and Exploitability

The CVSS v3.1 score is 4.3, indicating moderate impact. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalogue, suggesting limited public exploitation data. Because the flaw is only exposed to authenticated users and no privileges are checked, any user with subscriber-level access can exploit it. The lack of a nonce check also means the attack can be performed via crafted HTTP requests, making it relatively straightforward for an insider or compromised account. While the current risk is moderate, the ability to change scheduled cron events could lead to denial of service or execution‑timing changes if a malicious actor gains access.

Generated by OpenCVE AI on April 17, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Canto plugin to version 3.1.2 or higher.
  • If an immediate update is not possible, block access to the wp_ajax_updateOptions and wp_ajax_fbc_updateOptions endpoints for users without administrator privileges using a web application firewall or .htaccess rules.
  • Remove or disable the plugin’s scheduled WordPress cron event manually and verify that no unauthorized changes occur.

Generated by OpenCVE AI on April 17, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Flightbycanto
Flightbycanto canto
Wordpress
Wordpress wordpress
Vendors & Products Flightbycanto
Flightbycanto canto
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp_ajax_updateOptions (class-canto.php line 231) and wp_ajax_fbc_updateOptions (class-canto-settings.php line 76). Both hooks are registered exclusively under the wp_ajax_ prefix (requiring only a logged-in user), with no call to current_user_can() or check_ajax_referer(). This makes it possible for authenticated attackers with subscriber-level access and above to arbitrarily modify or delete plugin options controlling cron scheduling behavior (fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start) and to manipulate or clear the plugin's scheduled WordPress cron event (fbc_scheduled_update).
Title Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Flightbycanto Canto
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T16:39:26.532Z

Reserved: 2026-04-16T18:15:29.101Z

Link: CVE-2026-6441

cve-icon Vulnrichment

Updated: 2026-04-17T16:39:17.355Z

cve-icon NVD

Status : Received

Published: 2026-04-17T07:16:03.020

Modified: 2026-04-17T07:16:03.020

Link: CVE-2026-6441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:35:30Z

Weaknesses