CVE-2026-3335 Overview
The Canto plugin for WordPress contains a critical Missing Authorization vulnerability (CWE-862) in all versions up to and including 3.1.1. The vulnerability exists in the /wp-content/plugins/canto/includes/lib/copy-media.php file, which is directly accessible without any authentication, authorization, or nonce checks. This flaw allows unauthenticated attackers to upload arbitrary files to the WordPress uploads directory by exploiting the plugin's file fetch-and-upload mechanism.
Critical Impact
Unauthenticated attackers can upload arbitrary files (constrained to WordPress-allowed MIME types) to the WordPress uploads directory by controlling the destination server and token values, completely bypassing Canto's legitimate API.
Affected Products
- WordPress Canto Plugin versions up to and including 3.1.1
- All WordPress installations with the vulnerable Canto plugin installed
- Sites using Canto's media integration features
Discovery Timeline
- 2026-03-21 - CVE CVE-2026-3335 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-3335
Vulnerability Analysis
This vulnerability represents a Missing Authorization flaw in the WordPress Canto plugin's media handling functionality. The core issue stems from the copy-media.php file being directly accessible to any user without requiring authentication, authorization checks, or WordPress nonce verification. The fbc_flight_domain and fbc_app_api URL components are accepted as user-supplied POST parameters instead of being read from secure admin-configured options.
Since the attacker controls both the destination server URL and the fbc_app_token value, the entire fetch-and-upload chain becomes attacker-controlled. The WordPress server never contacts Canto's legitimate API during the attack; instead, all uploaded files originate entirely from the attacker's infrastructure. Additional endpoints including detail.php, download.php, get.php, and tree.php are also directly accessible without authentication and make requests using a user-supplied app_api parameter combined with an admin-configured subdomain.
Root Cause
The root cause of this vulnerability is the complete absence of access control mechanisms in the copy-media.php file and related endpoints. Specifically:
- No Authentication Check: The file does not verify that the requesting user is logged in or has valid WordPress credentials
- No Authorization Check: There is no verification that the user has appropriate permissions to upload media files
- No Nonce Verification: WordPress nonce tokens are not required, allowing cross-site request forgery attacks
- User-Controlled API Parameters: Critical parameters (fbc_flight_domain, fbc_app_api, fbc_app_token) are accepted from user input rather than being restricted to admin-configured values
This design flaw allows attackers to redirect the plugin's file fetching mechanism to their own malicious servers.
Attack Vector
The attack leverages the network-accessible nature of the vulnerable endpoint. An unauthenticated attacker can craft a malicious POST request to the copy-media.php endpoint, specifying their own server as the file source through the fbc_flight_domain and fbc_app_api parameters. The attacker provides their own fbc_app_token value, enabling complete control over the file fetching process.
The exploitation workflow involves:
- Identifying a WordPress site with the vulnerable Canto plugin installed
- Setting up an attacker-controlled server to host malicious files
- Sending a crafted POST request to the copy-media.php endpoint with attacker-controlled parameters
- The plugin fetches the file from the attacker's server and uploads it to the WordPress uploads directory
While file uploads are constrained to WordPress-allowed MIME types, this still enables attackers to upload potentially harmful content such as HTML files for phishing, SVG files containing JavaScript, or other allowed file types that could be leveraged for further attacks.
For detailed technical analysis, refer to the Wordfence Vulnerability Report and the source code references at WordPress Plugin Trac.
Detection Methods for CVE-2026-3335
Indicators of Compromise
- Unexpected POST requests to /wp-content/plugins/canto/includes/lib/copy-media.php from external IP addresses
- New files appearing in the WordPress uploads directory with unusual origins or naming patterns
- HTTP requests to the vulnerable endpoints (detail.php, download.php, get.php, tree.php) from unauthenticated sources
- Server logs showing requests with suspicious fbc_flight_domain or fbc_app_api parameters pointing to external domains
Detection Strategies
- Monitor web server access logs for direct requests to the Canto plugin's lib directory endpoints without corresponding admin authentication
- Implement Web Application Firewall (WAF) rules to detect and block POST requests to copy-media.php that contain external domain values in fbc_flight_domain or fbc_app_api parameters
- Deploy file integrity monitoring on the WordPress uploads directory to detect unexpected file additions
- Review WordPress media library for files that were not uploaded through the standard admin interface
Monitoring Recommendations
- Enable verbose logging for the WordPress uploads directory and monitor for file creation events from web server processes
- Set up alerts for requests to Canto plugin endpoints originating from IP addresses outside your organization's expected user base
- Implement regular security audits of installed WordPress plugins to identify vulnerable versions
- Use security plugins that provide real-time monitoring of file system changes and suspicious request patterns
How to Mitigate CVE-2026-3335
Immediate Actions Required
- Update the Canto plugin to the latest patched version immediately if one is available
- If no patch is available, deactivate and remove the Canto plugin until a security update is released
- Review WordPress uploads directory for any suspicious or unexpected files that may have been uploaded through this vulnerability
- Implement WAF rules to block direct access to the vulnerable endpoints
Patch Information
Organizations should check for updates to the Canto plugin through the official WordPress plugin repository. The vulnerability affects versions up to and including 3.1.1. Review the Wordfence Vulnerability Report for the latest patch availability information. Until a patch is released, consider the workarounds below to reduce exposure.
Workarounds
- Disable the Canto plugin entirely until a security patch is available from the vendor
- Implement server-level access controls (.htaccess or nginx configuration) to block direct access to the /wp-content/plugins/canto/includes/lib/ directory
- Use a Web Application Firewall to filter requests to the vulnerable endpoints and block requests with suspicious parameter values
- Restrict access to the WordPress admin area and plugin files to trusted IP addresses only
# Apache .htaccess configuration to block direct access to vulnerable endpoints
# Add to /wp-content/plugins/canto/includes/lib/.htaccess
<Files "copy-media.php">
Order Deny,Allow
Deny from all
</Files>
<Files "detail.php">
Order Deny,Allow
Deny from all
</Files>
<Files "download.php">
Order Deny,Allow
Deny from all
</Files>
<Files "get.php">
Order Deny,Allow
Deny from all
</Files>
<Files "tree.php">
Order Deny,Allow
Deny from all
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
