Login Sign Up

CVE-2024-4936

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

The Canto WordPress plugin has a Remote File Inclusion vulnerability in all versions up to 3.0.8 that allows unauthenticated attackers to include remote files on the server, potentially leading to remote code execution. This affects all WordPress sites using vulnerable versions of the Canto plugin. Exploitation requires the PHP configuration setting allow_url_include to be enabled on the target server.

💻 Affected Systems

Products:
  • Canto WordPress Plugin
Versions: All versions up to and including 3.0.8
Operating Systems: Any OS running WordPress with PHP
Default Config Vulnerable: ✅ No
Notes: Requires PHP allow_url_include setting to be enabled for full remote exploitation

📦 What is this software?

Canto by Canto

View all CVEs affecting Canto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with remote code execution, data theft, and complete system control

🟠

Likely Case

Website defacement, malware injection, or backdoor installation

🟢

If Mitigated

Limited impact if allow_url_include is disabled, though file inclusion may still be possible via local paths

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing and the exploit requires no authentication
🏢 Internal Only: MEDIUM - Internal WordPress sites could still be vulnerable if accessible to attackers

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple parameter manipulation required, but requires allow_url_include to be enabled for remote file inclusion

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.9 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/canto/trunk/includes/lib/sizes.php#L15

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Canto plugin. 4. Update to version 3.0.9 or later. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable allow_url_include

all

Prevents remote file inclusion by disabling PHP's allow_url_include setting

Edit php.ini: allow_url_include = Off
Or add to .htaccess: php_flag allow_url_include off

Disable Canto plugin

linux

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate canto

🧯 If You Can't Patch

  • Disable the Canto plugin immediately
  • Implement WAF rules to block requests containing suspicious abspath parameters

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for Canto plugin version. If version is 3.0.8 or lower, you are vulnerable.

Check Version:

wp plugin list --name=canto --field=version

Verify Fix Applied:

Verify Canto plugin version is 3.0.9 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing 'abspath' parameter with remote URLs
  • Unusual file inclusion attempts in PHP error logs

Network Indicators:

  • HTTP requests to WordPress sites with abspath parameter containing http:// or https:// URLs

SIEM Query:

web.url:*abspath=*http* OR web.url:*abspath=*https*

📊 Metadata

CVE ID: CVE-2024-4936
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: June 14, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON