Heygork

**Name of the Vulnerable Software and Affected Versions** Canto versions prior to 3.1.2 **Description** The Canto plugin for WordPress is susceptible to unauthorized access. The `/wp-content/plugins/canto/includes/lib/copy-media.php` file is directly accessible without authentication, authorization, or nonce checks. The `fbc flight domain` and `fbc app api` URL components are accepted as user-supplied POST parameters instead of being read from admin-configured options. This allows attackers to control the entire file upload process, enabling them to upload arbitrary files to the WordPress uploads directory, constrained by WordPress-allowed MIME types. Additional API endpoints, including `/detail.php`, `/download.php`, `/get.php`, and `/tree.php`, are also directly accessible without authentication and utilize a user-supplied `app api` parameter combined with an admin-configured subdomain. **Recommendations** Versions prior to 3.1.2 should be updated. As a temporary workaround, restrict access to the `/wp-content/plugins/canto/includes/lib/copy-media.php`, `/detail.php`, `/download.php`, `/get.php`, and `/tree.php` files.