CVE-2026-3335

Name of the Vulnerable Software and Affected Versions Canto versions prior to 3.1.2

Description The Canto plugin for WordPress is susceptible to unauthorized access. The /wp-content/plugins/canto/includes/lib/copy-media.php file is directly accessible without authentication, authorization, or nonce checks. The fbc flight domain and fbc app api URL components are accepted as user-supplied POST parameters instead of being read from admin-configured options. This allows attackers to control the entire file upload process, enabling them to upload arbitrary files to the WordPress uploads directory, constrained by WordPress-allowed MIME types. Additional API endpoints, including /detail.php, /download.php, /get.php, and /tree.php, are also directly accessible without authentication and utilize a user-supplied app api parameter combined with an admin-configured subdomain.

Recommendations Versions prior to 3.1.2 should be updated. As a temporary workaround, restrict access to the /wp-content/plugins/canto/includes/lib/copy-media.php, /detail.php, /download.php, /get.php, and /tree.php files.