CVE-2020-28976
published 2020-11-30CVE-2020-28976: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external…
PriorityP352medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
26.04%
97.7th percentile
The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canto | canto | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
exploitdb·2020-12-04·CVSS 5.3
CVE-2020-28976 [MEDIUM] Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
---
# Exploit Title: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
# Date: 03/12/2020
# Exploit Author: Pankaj Verma (_p4nk4j)
# Vendor Homepage: https://www.canto.com/integrations/wordpress/
# Software Link: https://github.com/CantoDAM/Canto-Wordpress-Plugin
# Version: 1.3.0
# Tested on: Ubuntu 18.04
# CVE: CVE-2020-28976, CVE-2020-28977, CVE-2020-28978
Description:-
The Canto plugin 1.3.0 for WordPress contains Blind SSRF Vulnerabilities.
It allows an unauthenticated attacker to make a request to any Internal and External Server via "subdomain" parameter.
Vulnerable Parameters and Endpoints:-
https://target/wp-content/plugins/canto/includes/lib/detail.php?subdomain=
https://target/wp-content/plugins/canto/incl
Nuclei
WordPress Canto 1.3.0 - Blind Server-Side Request Forgery
nuclei·CVSS 5.3
CVE-2020-28976 [MEDIUM] WordPress Canto 1.3.0 - Blind Server-Side Request Forgery
WordPress Canto 1.3.0 - Blind Server-Side Request Forgery
WordPress Canto plugin 1.3.0 is susceptible to blind server-side request forgery. An attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2020-28976
info:
name: WordPress Canto 1.3.0 - Blind Server-Side Request Forgery
author: LogicalHunter
severity: medium
description: WordPress Canto plugin 1.3.0 is susceptible to blind server-side request forgery. An attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain and thereby possibly obtain sensitive information, modif
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160358/WordPress-Canto-1.3.0-Server-Side-Request-Forgery.htmlhttps://gist.github.com/p4nk4jv/87aebd999ce4b28063943480e95fd9e0https://github.com/CantoDAM/Canto-Wordpress-Pluginhttps://wordpress.org/plugins/canto/#developershttps://www.canto.com/integrations/wordpress/http://packetstormsecurity.com/files/160358/WordPress-Canto-1.3.0-Server-Side-Request-Forgery.htmlhttps://gist.github.com/p4nk4jv/87aebd999ce4b28063943480e95fd9e0https://github.com/CantoDAM/Canto-Wordpress-Pluginhttps://wordpress.org/plugins/canto/#developershttps://www.canto.com/integrations/wordpress/
2020-11-30
Published