CVE-2026-3335
published 2026-03-21CVE-2026-3335: The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the…
PriorityP338medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.44%
34.9th percentile
The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and the `fbc_flight_domain` and `fbc_app_api` URL components being accepted as user-supplied POST parameters rather than read from admin-configured options. Since the attacker controls both the destination server and the `fbc_app_token` value, the entire fetch-and-upload chain is attacker-controlled — the server never contacts Canto's legitimate API, and the uploaded file originates entirely from the attacker's infrastructure. This makes it possible for unauthenticated attackers to upload arbitrary files (constrained to WordPress-allowed MIME types) to the WordPress uploads directory. Additional endpoints (`detail.php`, `download.php`, `get.php`, `tree.php`) are also directly accessible without authentication and make requests using a user-supplied `app_api` parameter combined with an admin-configured subdomain.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flightbycanto | canto | <= 3.1.1 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat4.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j9m2-xx67-38fc: The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3
ghsa_unreviewed·2026-03-21
CVE-2026-3335 [MEDIUM] CWE-862 GHSA-j9m2-xx67-38fc: The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3
The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and the `fbc_flight_domain` and `fbc_app_api` URL components being accepted as user-supplied POST parameters rather than read from admin-configured options. Since the attacker controls both the destination server and the `fbc_app_token` value, the entire fetch-and-upload chain is attacker-controlled — the server never contacts Canto's legitimate API, and the uploaded file originates entirely from the attacker's infrastructure. This makes it possible for unauthenticated attackers to upload arbitrary fi
Red Hat
kernel: bonding: annotate data-races around slave->last_rx
vendor_redhat·2026-02-18·CVSS 4.7
CVE-2026-23212 [MEDIUM] CWE-367 kernel: bonding: annotate data-races around slave->last_rx
kernel: bonding: annotate data-races around slave->last_rx
In the Linux kernel, the following vulnerability has been resolved:
bonding: annotate data-races around slave->last_rx
slave->last_rx and slave->target_last_arp_rx[...] can be read and written
locklessly. Add READ_ONCE() and WRITE_ONCE() annotations.
syzbot reported:
BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate
write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1:
bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
__netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
__netif_receive_skb_one_core net/core/dev.c:6150 [inline]
__netif_receive_skb+0x59/0x270 net/core/dev.c:6265
netif_receive_skb_internal net/core/dev.c:6351
No detection rules found.
No public exploits indexed.
https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/lib/copy-media.php#L152https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/lib/copy-media.php#L306https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/lib/copy-media.php#L71https://plugins.trac.wordpress.org/browser/canto/trunk/includes/lib/copy-media.php#L152https://plugins.trac.wordpress.org/browser/canto/trunk/includes/lib/copy-media.php#L306https://plugins.trac.wordpress.org/browser/canto/trunk/includes/lib/copy-media.php#L71https://www.wordfence.com/threat-intel/vulnerabilities/id/0777f759-6980-4572-a866-0210bd5f5085?source=cve
2026-03-21
Published