CVE-2026-6441

Name of the Vulnerable Software and Affected Versions Canto plugin for WordPress versions prior to 3.1.2

Description Missing authorization occurs due to the absence of capability checks or nonce verification in the updateOptions() function. This function is exposed via two AJAX hooks: 'wp ajax updateOptions' and 'wp ajax fbc updateOptions'. Because these hooks are registered under the wp ajax prefix without calls to current user can() or check ajax referer(), authenticated attackers with subscriber-level access or higher can arbitrarily modify or delete plugin options that control cron scheduling behavior, specifically fbc duplicates, fbc cron, fbc schedule, fbc cron time day, fbc cron time hour, and fbc cron start. Additionally, attackers can manipulate or clear the scheduled WordPress cron event fbc scheduled update.

Recommendations Update to a version later than 3.1.1. As a temporary workaround, restrict access to the updateOptions() function or the associated AJAX hooks until a patch is applied.