The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and the `fbc_flight_domain` and `fbc_app_api` URL components being accepted as user-supplied POST parameters rather than read from admin-configured options. Since the attacker controls both the destination server and the `fbc_app_token` value, the entire fetch-and-upload chain is attacker-controlled — the server never contacts Canto's legitimate API, and the uploaded file originates entirely from the attacker's infrastructure. This makes it possible for unauthenticated attackers to upload arbitrary files (constrained to WordPress-allowed MIME types) to the WordPress uploads directory. Additional endpoints (`detail.php`, `download.php`, `get.php`, `tree.php`) are also directly accessible without authentication and make requests using a user-supplied `app_api` parameter combined with an admin-configured subdomain.
CVE-2026-3335 is a medium severity with CVSS 5.3 File Upload issue affecting the Plugin Canto. It affects Versions up to 3.1.1 and is listed without a confirmed patched release.
CVE-2026-3335 is tracked for the Plugin Canto as medium severity with CVSS 5.3. The affected range is Versions up to 3.1.1. No fixed release is listed in this feed entry, so operators should monitor the vendor and reference links before accepting the risk.
| Software Type | Plugin |
|---|---|
| Software Slug |
canto
View on wordpress.org
|
| CVE | CVE-2026-3335 |
| Patched Versions |
No patched versions published.
|
| Affected Versions |
Versions up to 3.1.1
|
These internal links group the same WordPress plugin by CVE, issue type, severity, and patch status so operators and search engines can connect the full vulnerability cluster.
Canto <= 3.0.8 - Unauthenticated Remote File Inclusion
Canto <= 3.0.6 - Remote File Inclusion to Code Execution
Canto <= 3.0.4 - Unauthenticated Remote File Inclusion
Canto <= 1.9.0 - Blind Server-Side Request Forgery via detail.php
Canto <= 1.9.0 - Blind Server-Side Request Forgery via download.php
Canto <= 1.9.0 - Blind Server-Side Request Forgery via tree.php
Canto <= 1.9.0 - Blind Server-Side Request Forgery via get.php
Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification
This record contains material that is subject to copyright
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more
License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more
