CVE-2023-3452 Overview
The Canto plugin for WordPress contains a Remote File Inclusion (RFI) vulnerability affecting all versions up to and including 3.0.4. The flaw exists in the wp_abspath parameter processed by the plugin's tree.php file. Unauthenticated attackers can include and execute arbitrary remote code on the server when the PHP allow_url_include directive is enabled. Local File Inclusion (LFI) is also possible, though it requires the attacker to place a malicious PHP file in a web-server-readable directory via FTP or another upload mechanism. The vulnerability is tracked under [CWE-98] (Improper Control of Filename for Include/Require Statement in PHP Program).
Critical Impact
Unauthenticated attackers can achieve remote code execution on vulnerable WordPress installations, leading to full site compromise.
Affected Products
- Canto plugin for WordPress versions up to and including 3.0.4
- WordPress sites with PHP allow_url_include enabled (for RFI exploitation)
- WordPress sites with writable directories accessible to attackers (for LFI exploitation)
Discovery Timeline
- 2023-08-12 - CVE-2023-3452 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2023-3452
Vulnerability Analysis
The Canto plugin's tree.php file accepts the wp_abspath parameter from user-controlled input and passes it directly into a PHP include or require statement. Because the plugin does not validate, sanitize, or restrict the value, attackers can supply an arbitrary path, including a remote URL. When PHP's allow_url_include directive is enabled, the included resource is fetched and executed in the context of the web server. The attack requires no authentication and no user interaction. The EPSS score of 87.833% reflects the active interest attackers have shown in this class of WordPress plugin flaw.
Root Cause
The root cause is unsanitized use of user-supplied input in a PHP file inclusion function. The wp_abspath parameter was intended to reference the WordPress installation path but is read directly from the request without verification that it points to a legitimate local file. This is a classic [CWE-98] pattern where dynamic file inclusion is performed on attacker-controlled data.
Attack Vector
An attacker sends an HTTP request to the vulnerable tree.php endpoint with the wp_abspath parameter set to a remote URL hosting a malicious PHP payload. PHP retrieves and executes the remote file, granting the attacker arbitrary code execution as the web server user. The attack is conducted over the network, requires no privileges, and operates without user interaction. The vendor addressed the issue in WordPress Plugin Changeset 2951888, and additional analysis is available in the Wordfence Vulnerability Report.
No verified proof-of-concept code is published in the referenced sources. The vulnerable code path and the corresponding patch can be reviewed in the WordPress Plugin Code Review.
Detection Methods for CVE-2023-3452
Indicators of Compromise
- HTTP requests to Canto plugin paths containing the wp_abspath parameter with an external URL value (e.g. http://, https://, ftp:// schemes)
- Outbound HTTP connections from the web server to attacker-controlled hosts shortly after a request to the plugin
- Unexpected PHP processes spawning shells, downloading binaries, or writing files into WordPress directories
- New or modified PHP files in wp-content/plugins/canto/ or other writable WordPress directories
Detection Strategies
- Inspect web server access logs for requests targeting tree.php or other Canto plugin files with suspicious wp_abspath values
- Alert on web application firewall (WAF) signatures matching remote file inclusion patterns in WordPress plugin parameters
- Correlate inbound HTTP requests to the plugin endpoint with outbound network connections initiated by the PHP interpreter
- Monitor for installed plugin versions across WordPress fleets and flag any Canto installation at or below 3.0.4
Monitoring Recommendations
- Enable verbose logging on the PHP-FPM or Apache mod_php process to capture file inclusion events
- Forward web server, PHP error, and EDR telemetry to a centralized data lake for correlation and retention
- Track file integrity on the WordPress webroot and alert on any unexpected PHP file creation or modification
How to Mitigate CVE-2023-3452
Immediate Actions Required
- Update the Canto plugin to a version newer than 3.0.4 that contains the fix from changeset 2951888
- If updating is not immediately possible, disable and remove the Canto plugin from affected WordPress sites
- Set allow_url_include = Off in php.ini to neutralize remote file inclusion across all PHP applications on the host
- Review web server and PHP logs for prior exploitation attempts against tree.php and the wp_abspath parameter
Patch Information
The vendor patched the vulnerability in the Canto plugin via WordPress Plugin Changeset 2951888. Administrators should upgrade to the latest available release of the Canto plugin through the WordPress plugin manager.
Workarounds
- Block external requests to Canto plugin endpoints at the WAF or reverse proxy until patching is complete
- Set allow_url_include = Off and allow_url_fopen = Off in php.ini to prevent remote inclusion
- Restrict write access on WordPress directories to prevent attackers from staging local PHP payloads for LFI exploitation
- Apply virtual patching rules that reject any request containing the wp_abspath parameter with a URL scheme
# Disable remote file inclusion in php.ini
allow_url_include = Off
allow_url_fopen = Off
# Verify settings are applied
php -i | grep -E 'allow_url_(include|fopen)'
# Update the Canto plugin via WP-CLI
wp plugin update canto
wp plugin get canto --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
