CVE-2024-4936

Name of the Vulnerable Software and Affected Versions Canto plugin for WordPress versions up to, and including, 3.0.8

Description The issue allows unauthenticated attackers to include remote files on the server, resulting in code execution. This is achieved via the abspath parameter and requires allow url include to be enabled on the target site in order to exploit.

Recommendations For versions up to, and including, 3.0.8, update to a version later than 3.0.8 to resolve the issue. As a temporary workaround, consider disabling the abspath parameter until a patch is available. Restrict access to the Canto plugin to minimize the risk of exploitation, and ensure allow url include is disabled to prevent code execution.