CVE-2026-6441 Overview
The Canto plugin for WordPress contains a Missing Authorization vulnerability [CWE-862] affecting all versions up to and including 3.1.1. The flaw resides in the updateOptions() function, which is exposed through two AJAX hooks: wp_ajax_updateOptions and wp_ajax_fbc_updateOptions. Neither hook performs a capability check via current_user_can() nor a nonce check via check_ajax_referer(). Authenticated attackers with subscriber-level access can modify or delete plugin options that control cron scheduling behavior. They can also manipulate or clear the plugin's scheduled WordPress cron event.
Critical Impact
Any authenticated WordPress user, including low-privileged subscribers, can tamper with Canto plugin scheduling options and disrupt scheduled cron updates.
Affected Products
- Canto plugin for WordPress, versions up to and including 3.1.1
- Installations exposing wp_ajax_updateOptions hook (class-canto.php line 231)
- Installations exposing wp_ajax_fbc_updateOptions hook (class-canto-settings.php line 76)
Discovery Timeline
- 2026-04-17 - CVE-2026-6441 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-6441
Vulnerability Analysis
The Canto plugin registers two AJAX handlers that invoke the updateOptions() function. Both handlers are registered exclusively under the wp_ajax_ prefix, which requires only that the requester be a logged-in WordPress user. The function processes incoming POST parameters and writes them to plugin options without verifying the caller's role or validating a request nonce.
Because WordPress treats subscribers as authenticated users, any account holder can submit a crafted AJAX request to either endpoint. Successful requests overwrite plugin options including fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, and fbc_cron_start. Attackers can also clear the scheduled cron event fbc_scheduled_update, disrupting automated synchronization tasks the plugin performs.
Root Cause
The root cause is the absence of authorization and request-origin verification in updateOptions(). The function should call current_user_can() with an appropriate capability such as manage_options and call check_ajax_referer() against a plugin-specific nonce before mutating any options. Neither check is present in the vulnerable releases.
Attack Vector
Exploitation requires a valid WordPress user session at the subscriber level or higher. The attacker submits an HTTP POST request to /wp-admin/admin-ajax.php with action=updateOptions or action=fbc_updateOptions and the parameter values they wish to set. No special tooling is required and the attack is fully remote over the network. See the Wordfence Vulnerability Intelligence entry and the Canto plugin source on WordPress.org for the unprotected handler registration.
No verified public proof-of-concept code is available. The vulnerability mechanism is fully described by the missing capability and nonce checks around the AJAX-exposed option writer.
Detection Methods for CVE-2026-6441
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=updateOptions or action=fbc_updateOptions originating from low-privileged user sessions.
- Unexpected changes to Canto plugin options such as fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, or fbc_cron_start in wp_options.
- Missing or unexpectedly rescheduled fbc_scheduled_update cron entry returned by wp cron event list.
Detection Strategies
- Monitor WordPress web access logs for AJAX calls to the two affected actions and correlate the calling user role against the action sensitivity.
- Inspect wp_options row revisions or backups for unauthorized changes to the fbc_* options listed above.
- Alert on AJAX activity to Canto endpoints from accounts that do not normally access plugin administration.
Monitoring Recommendations
- Enable WordPress audit logging for option updates and scheduled task changes.
- Forward web server and PHP logs to a centralized log analytics platform for retention and querying.
- Review user accounts on a recurring basis and remove unused subscriber-level accounts that could be abused for authenticated exploitation.
How to Mitigate CVE-2026-6441
Immediate Actions Required
- Update the Canto plugin to a release later than 3.1.1 as soon as a patched version is published by the vendor.
- Restrict new user registration if it is not required, reducing the pool of accounts capable of triggering the vulnerable AJAX handlers.
- Audit existing subscriber and contributor accounts and disable any that are inactive or unrecognized.
Patch Information
At the time of NVD publication on 2026-04-17, no fixed version is listed in the available references. Monitor the WordPress.org plugin repository for Canto and the Wordfence advisory for a release that adds current_user_can() and check_ajax_referer() to updateOptions().
Workarounds
- Deactivate the Canto plugin until a patched release is installed if the plugin is not in active use.
- Apply a web application firewall rule blocking unauthenticated and low-privilege requests to admin-ajax.php where action equals updateOptions or fbc_updateOptions.
- Apply a custom mu-plugin that wraps the affected hooks and rejects callers lacking the manage_options capability until an official patch is released.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
