Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification
Description
The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp_ajax_updateOptions (class-canto.php line 231) and wp_ajax_fbc_updateOptions (class-canto-settings.php line 76). Both hooks are registered exclusively under the wp_ajax_ prefix (requiring only a logged-in user), with no call to current_user_can() or check_ajax_referer(). This makes it possible for authenticated attackers with subscriber-level access and above to arbitrarily modify or delete plugin options controlling cron scheduling behavior (fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start) and to manipulate or clear the plugin's scheduled WordPress cron event (fbc_scheduled_update).
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
# Research Plan: CVE-2026-6441 - Missing Authorization in Canto Plugin ## 1. Vulnerability Summary The Canto plugin for WordPress (versions <= 3.1.1) contains a missing authorization vulnerability in its option-updating logic. The function `updateOptions()` is registered as an AJAX handler for auth…
Show full research plan
Research Plan: CVE-2026-6441 - Missing Authorization in Canto Plugin
1. Vulnerability Summary
The Canto plugin for WordPress (versions <= 3.1.1) contains a missing authorization vulnerability in its option-updating logic. The function updateOptions() is registered as an AJAX handler for authenticated users (wp_ajax_ prefix) but fails to implement any current_user_can() capability checks or check_ajax_referer() nonce verifications. Consequently, any logged-in user, including those with the lowest privilege (Subscriber), can modify or delete critical plugin settings and manipulate scheduled cron events.
2. Attack Vector Analysis
- Endpoints:
/wp-admin/admin-ajax.php - AJAX Actions:
updateOptions(Registered inclass-canto.phparound line 231)fbc_updateOptions(Registered inclass-canto-settings.phparound line 76)
- HTTP Method:
POST - Vulnerable Parameter: The parameters handled by
updateOptions()typically include setting keys such asfbc_duplicates,fbc_cron,fbc_schedule, etc. - Required Authentication: Any logged-in user (Subscriber-level and above).
- Preconditions: The plugin must be active.
3. Code Flow
- Entry Point: An authenticated user sends a POST request to
/wp-admin/admin-ajax.phpwith theactionparameter set to eitherupdateOptionsorfbc_updateOptions. - Hook Trigger: WordPress core identifies the action and triggers the corresponding
wp_ajax_hook. - Handler Execution: The handler calls the
updateOptions()function (located in eitherclass-canto.phporclass-canto-settings.php). - Vulnerable Sink: The
updateOptions()function likely reads keys from$_POSTand passes them directly toupdate_option()ordelete_option()without checking if the current user is an administrator or verifying a CSRF nonce. - Side Effect: If
fbc_scheduled_updateis passed or manipulated, the plugin may callwp_clear_scheduled_hook()orwp_schedule_event(), altering the site's cron behavior.
4. Nonce Acquisition Strategy
According to the vulnerability description, there is an absence of any nonce verification in the updateOptions() function. Therefore, no nonce is required to exploit this vulnerability. The attacker only needs a valid session cookie for a Subscriber-level user.
5. Exploitation Strategy
The goal is to modify a plugin setting (e.g., fbc_cron) from a Subscriber account.
- Login: Authenticate as a Subscriber user using
browser_login. - Draft Payload: Prepare a POST request to
admin-ajax.php. Based on the description, we will target thefbc_cronoption. - Submit Request: Use the
http_requesttool to send the following payload:- URL:
https://[TARGET]/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=updateOptions&fbc_cron=0(oraction=fbc_updateOptions&fbc_cron=0)
- URL:
6. Test Data Setup
- Create Subscriber: Use WP-CLI to create a test subscriber.
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123 - Initialize Options: Ensure the Canto plugin is installed and active, and set an initial value for the targeted option.
wp option update fbc_cron 1
7. Expected Results
- Response: The server should return a successful HTTP 200 OK response (likely returning
1or a JSON success message if the plugin follows standard AJAX patterns). - Database Change: The WordPress option
fbc_cronshould be updated in thewp_optionstable from1to0. - Access Control Failure: The request succeeds despite the user lacking
manage_optionscapabilities.
8. Verification Steps
After the exploit attempt, verify the change using WP-CLI:
- Check Option Value:
Success Criteria: The command returnswp option get fbc_cron0. - Check Cron Events (Optional): If
fbc_scheduled_updatewas targeted:
Success Criteria: The event is either missing or modified as per the payload.wp cron event list | grep fbc_scheduled_update
9. Alternative Approaches
If the initial payload fbc_cron=0 does not work, it might be because the updateOptions function expects an array or specific structure.
- Alternative Payload 1 (Array-style):
action=updateOptions&options[fbc_cron]=0 - Alternative Payload 2 (JSON-style):
action=updateOptions&data={"fbc_cron":"0"}(This is less common for standardwp_ajaxbut possible). - Alternative Payload 3 (Action specific): Try both
updateOptionsandfbc_updateOptionsactions as they are registered in different files. - Testing Deletion: Try to clear an option by sending an empty value or a specific parameter that triggers deletion if the code supports it (e.g.,
fbc_cron=).
Summary
The Canto plugin for WordPress (versions 3.1.1 and earlier) fails to implement authorization checks and nonce verification in its option-updating logic. This allows authenticated users with subscriber-level privileges or higher to modify or delete plugin settings related to cron scheduling and manipulate scheduled WordPress cron events.
Vulnerable Code
// class-canto.php around line 231 add_action('wp_ajax_updateOptions', array($this, 'updateOptions')); // class-canto-settings.php around line 76 add_action('wp_ajax_fbc_updateOptions', array($this, 'updateOptions')); --- // Inferred logic for updateOptions() based on vulnerability description public function updateOptions() { // Missing current_user_can('manage_options') check // Missing check_ajax_referer() nonce check if (isset($_POST['fbc_cron'])) { update_option('fbc_cron', sanitize_text_field($_POST['fbc_cron'])); } // ... processes fbc_duplicates, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start ... if (isset($_POST['fbc_scheduled_update'])) { // Logic to clear or reschedule cron events } wp_die(); }
Security Fix
@@ -76,4 +76,9 @@ public function updateOptions() { + if (!current_user_can('manage_options')) { + wp_send_json_error('Forbidden', 403); + } + check_ajax_referer('canto_settings_nonce', 'nonce'); + // ... rest of function logic }
Exploit Outline
The exploit targets the AJAX endpoints registered by the plugin. An attacker must first authenticate as a Subscriber-level user. They then send a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'updateOptions' or 'fbc_updateOptions'. The payload includes the specific setting keys they wish to modify, such as 'fbc_cron=0' to disable plugin synchronization or 'fbc_scheduled_update=1' to trigger/clear scheduled tasks. Because the function lacks capability checks and nonce validation, the server processes these updates as if they were requested by an administrator.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.