CVE-2026-6441

The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp ajax updateOptions (class-canto.php line 231) and wp ajax fbc updateOptions (class-canto-settings.php line 76). Both hooks are registered exclusively under the wp ajax prefix (requiring only a logged-in user), with no call to current user can() or check ajax referer(). This makes it possible for authenticated attackers with subscriber-level access and above to arbitrarily modify or delete plugin options controlling cron scheduling behavior (fbc duplicates, fbc cron, fbc schedule, fbc cron time day, fbc cron time hour, fbc cron start) and to manipulate or clear the plugin's scheduled WordPress cron event (fbc scheduled update).