CVE-2026-3335 in Canto Plugin
Summary
by MITRE • 03/21/2026
The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and the `fbc_flight_domain` and `fbc_app_api` URL components being accepted as user-supplied POST parameters rather than read from admin-configured options. Since the attacker controls both the destination server and the `fbc_app_token` value, the entire fetch-and-upload chain is attacker-controlled — the server never contacts Canto's legitimate API, and the uploaded file originates entirely from the attacker's infrastructure. This makes it possible for unauthenticated attackers to upload arbitrary files (constrained to WordPress-allowed MIME types) to the WordPress uploads directory. Additional endpoints (`detail.php`, `download.php`, `get.php`, `tree.php`) are also directly accessible without authentication and make requests using a user-supplied `app_api` parameter combined with an admin-configured subdomain.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified in CVE-2026-3335 affects the Canto plugin for WordPress, specifically targeting versions up to and including 3.1.1. This represents a critical authorization flaw that fundamentally undermines the security posture of affected WordPress installations. The core issue stems from the `/wp-content/plugins/canto/includes/lib/copy-media.php` file which operates without any authentication, authorization, or nonce validation mechanisms, creating an unauthenticated access point that allows attackers to manipulate the plugin's functionality directly. This vulnerability falls under CWE-863, which specifically addresses "Incorrect Authorization" conditions where the system fails to properly verify that an actor is authorized to perform a requested operation.
The technical implementation of this vulnerability exposes multiple attack vectors through the plugin's handling of user-supplied parameters. The file accepts `fbc_flight_domain` and `fbc_app_api` URL components as POST parameters rather than retrieving these values from properly configured admin settings, which creates a dangerous attack surface where malicious actors can control the entire fetch-and-upload chain. More critically, since attackers control both the destination server and the `fbc_app_token` value, they can effectively bypass all legitimate API communications with Canto's infrastructure. This manipulation allows attackers to construct malicious requests that source files entirely from their own infrastructure rather than from the legitimate Canto API endpoints, fundamentally altering the plugin's intended behavior.
The operational impact of this vulnerability extends beyond simple unauthorized file uploads, as it enables attackers to leverage the WordPress uploads directory for potentially malicious activities. While file uploads are constrained to WordPress-allowed MIME types, the ability to place arbitrary files in the upload directory creates numerous downstream exploitation opportunities. Attackers can potentially upload web shells, malicious scripts, or other payloads that can be executed within the WordPress environment, leading to full system compromise. The additional endpoints including `detail.php`, `download.php`, `get.php`, and `tree.php` compound the risk by providing multiple attack surfaces that all operate without authentication, each accepting user-supplied `app_api` parameters combined with admin-configured subdomains.
This vulnerability directly maps to several ATT&CK techniques including T1190 for exploitation of vulnerable applications and T1078 for valid accounts and credentials. The attack chain begins with reconnaissance of vulnerable WordPress installations, followed by exploitation of the missing authorization checks to upload malicious files. The lack of proper input validation and authentication mechanisms creates an environment where attackers can effectively bypass the plugin's intended security controls. Organizations should implement immediate mitigations including disabling the affected plugin until a patched version is available, implementing proper access controls for plugin directories, and conducting thorough security audits of all installed plugins to identify similar authorization flaws. The vulnerability demonstrates the critical importance of validating all user inputs and implementing proper authorization checks, particularly in plugin architectures where third-party components interact with external APIs and file systems.