[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzhlw3LidJLD2OG1HWy4BnQw89YSGeRkf7Y5iHFnrA8o":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6441","canto-missing-authorization-to-authenticated-subscriber-arbitrary-setting-modification","Canto \u003C= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification","The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp_ajax_updateOptions (class-canto.php line 231) and wp_ajax_fbc_updateOptions (class-canto-settings.php line 76). Both hooks are registered exclusively under the wp_ajax_ prefix (requiring only a logged-in user), with no call to current_user_can() or check_ajax_referer(). This makes it possible for authenticated attackers with subscriber-level access and above to arbitrarily modify or delete plugin options controlling cron scheduling behavior (fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start) and to manipulate or clear the plugin's scheduled WordPress cron event (fbc_scheduled_update).","canto",null,"\u003C=3.1.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-16 18:16:51","2026-05-11 20:36:35",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc1a0200f-9861-4eca-adbf-d458eb6b4e63?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2026-6441 - Missing Authorization in Canto Plugin\n\n## 1. Vulnerability Summary\nThe Canto plugin for WordPress (versions \u003C= 3.1.1) contains a missing authorization vulnerability in its option-updating logic. The function `updateOptions()` is registered as an AJAX handler for authenticated users (`wp_ajax_` prefix) but fails to implement any `current_user_can()` capability checks or `check_ajax_referer()` nonce verifications. Consequently, any logged-in user, including those with the lowest privilege (Subscriber), can modify or delete critical plugin settings and manipulate scheduled cron events.\n\n## 2. Attack Vector Analysis\n*   **Endpoints:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Actions:**\n    *   `updateOptions` (Registered in `class-canto.php` around line 231)\n    *   `fbc_updateOptions` (Registered in `class-canto-settings.php` around line 76)\n*   **HTTP Method:** `POST`\n*   **Vulnerable Parameter:** The parameters handled by `updateOptions()` typically include setting keys such as `fbc_duplicates`, `fbc_cron`, `fbc_schedule`, etc.\n*   **Required Authentication:** Any logged-in user (Subscriber-level and above).\n*   **Preconditions:** The plugin must be active.\n\n## 3. Code Flow\n1.  **Entry Point:** An authenticated user sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` parameter set to either `updateOptions` or `fbc_updateOptions`.\n2.  **Hook Trigger:** WordPress core identifies the action and triggers the corresponding `wp_ajax_` hook.\n3.  **Handler Execution:** The handler calls the `updateOptions()` function (located in either `class-canto.php` or `class-canto-settings.php`).\n4.  **Vulnerable Sink:** The `updateOptions()` function likely reads keys from `$_POST` and passes them directly to `update_option()` or `delete_option()` without checking if the current user is an administrator or verifying a CSRF nonce.\n5.  **Side Effect:** If `fbc_scheduled_update` is passed or manipulated, the plugin may call `wp_clear_scheduled_hook()` or `wp_schedule_event()`, altering the site's cron behavior.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, there is an **absence of any nonce verification** in the `updateOptions()` function. Therefore, **no nonce is required** to exploit this vulnerability. The attacker only needs a valid session cookie for a Subscriber-level user.\n\n## 5. Exploitation Strategy\nThe goal is to modify a plugin setting (e.g., `fbc_cron`) from a Subscriber account.\n\n1.  **Login:** Authenticate as a Subscriber user using `browser_login`.\n2.  **Draft Payload:** Prepare a POST request to `admin-ajax.php`. Based on the description, we will target the `fbc_cron` option.\n3.  **Submit Request:** Use the `http_request` tool to send the following payload:\n    *   **URL:** `https:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:** `action=updateOptions&fbc_cron=0` (or `action=fbc_updateOptions&fbc_cron=0`)\n\n## 6. Test Data Setup\n1.  **Create Subscriber:** Use WP-CLI to create a test subscriber.\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n    ```\n2.  **Initialize Options:** Ensure the Canto plugin is installed and active, and set an initial value for the targeted option.\n    ```bash\n    wp option update fbc_cron 1\n    ```\n\n## 7. Expected Results\n*   **Response:** The server should return a successful HTTP 200 OK response (likely returning `1` or a JSON success message if the plugin follows standard AJAX patterns).\n*   **Database Change:** The WordPress option `fbc_cron` should be updated in the `wp_options` table from `1` to `0`.\n*   **Access Control Failure:** The request succeeds despite the user lacking `manage_options` capabilities.\n\n## 8. Verification Steps\nAfter the exploit attempt, verify the change using WP-CLI:\n1.  **Check Option Value:**\n    ```bash\n    wp option get fbc_cron\n    ```\n    *Success Criteria:* The command returns `0`.\n2.  **Check Cron Events (Optional):** If `fbc_scheduled_update` was targeted:\n    ```bash\n    wp cron event list | grep fbc_scheduled_update\n    ```\n    *Success Criteria:* The event is either missing or modified as per the payload.\n\n## 9. Alternative Approaches\nIf the initial payload `fbc_cron=0` does not work, it might be because the `updateOptions` function expects an array or specific structure.\n*   **Alternative Payload 1 (Array-style):** `action=updateOptions&options[fbc_cron]=0`\n*   **Alternative Payload 2 (JSON-style):** `action=updateOptions&data={\"fbc_cron\":\"0\"}` (This is less common for standard `wp_ajax` but possible).\n*   **Alternative Payload 3 (Action specific):** Try both `updateOptions` and `fbc_updateOptions` actions as they are registered in different files.\n*   **Testing Deletion:** Try to clear an option by sending an empty value or a specific parameter that triggers deletion if the code supports it (e.g., `fbc_cron=`).","The Canto plugin for WordPress (versions 3.1.1 and earlier) fails to implement authorization checks and nonce verification in its option-updating logic. This allows authenticated users with subscriber-level privileges or higher to modify or delete plugin settings related to cron scheduling and manipulate scheduled WordPress cron events.","\u002F\u002F class-canto.php around line 231\nadd_action('wp_ajax_updateOptions', array($this, 'updateOptions'));\n\n\u002F\u002F class-canto-settings.php around line 76\nadd_action('wp_ajax_fbc_updateOptions', array($this, 'updateOptions'));\n\n---\n\n\u002F\u002F Inferred logic for updateOptions() based on vulnerability description\npublic function updateOptions() {\n    \u002F\u002F Missing current_user_can('manage_options') check\n    \u002F\u002F Missing check_ajax_referer() nonce check\n\n    if (isset($_POST['fbc_cron'])) {\n        update_option('fbc_cron', sanitize_text_field($_POST['fbc_cron']));\n    }\n    \u002F\u002F ... processes fbc_duplicates, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start ...\n    \n    if (isset($_POST['fbc_scheduled_update'])) {\n        \u002F\u002F Logic to clear or reschedule cron events\n    }\n    wp_die();\n}","--- a\u002Fincludes\u002Fclass-canto-settings.php\n+++ b\u002Fincludes\u002Fclass-canto-settings.php\n@@ -76,4 +76,9 @@\n     public function updateOptions() {\n+        if (!current_user_can('manage_options')) {\n+            wp_send_json_error('Forbidden', 403);\n+        }\n+        check_ajax_referer('canto_settings_nonce', 'nonce');\n+\n         \u002F\u002F ... rest of function logic\n     }","The exploit targets the AJAX endpoints registered by the plugin. An attacker must first authenticate as a Subscriber-level user. They then send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'updateOptions' or 'fbc_updateOptions'. The payload includes the specific setting keys they wish to modify, such as 'fbc_cron=0' to disable plugin synchronization or 'fbc_scheduled_update=1' to trigger\u002Fclear scheduled tasks. Because the function lacks capability checks and nonce validation, the server processes these updates as if they were requested by an administrator.","gemini-3-flash-preview","2026-04-20 20:16:49","2026-04-20 20:17:05",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcanto\u002Ftags"]