{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6441", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-16T18:15:29.101Z", "datePublished": "2026-04-17T06:44:50.145Z", "dateUpdated": "2026-04-17T06:44:50.145Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T06:44:50.145Z"}, "affected": [{"vendor": "flightbycanto", "product": "Canto", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp_ajax_updateOptions (class-canto.php line 231) and wp_ajax_fbc_updateOptions (class-canto-settings.php line 76). Both hooks are registered exclusively under the wp_ajax_ prefix (requiring only a logged-in user), with no call to current_user_can() or check_ajax_referer(). This makes it possible for authenticated attackers with subscriber-level access and above to arbitrarily modify or delete plugin options controlling cron scheduling behavior (fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start) and to manipulate or clear the plugin's scheduled WordPress cron event (fbc_scheduled_update)."}], "title": "Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c1a0200f-9861-4eca-adbf-d458eb6b4e63?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/canto/trunk/includes/class-canto.php#L572"}, {"url": "https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/class-canto.php#L572"}, {"url": "https://plugins.trac.wordpress.org/browser/canto/trunk/includes/class-canto.php#L231"}, {"url": "https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/class-canto.php#L231"}, {"url": "https://plugins.trac.wordpress.org/browser/canto/trunk/includes/class-canto-settings.php#L603"}, {"url": "https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/class-canto-settings.php#L603"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-04-16T18:16:51.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp_ajax_updateOptions (class-canto.php line 231) and wp_ajax_fbc_updateOptions (class-canto-settings.php line 76). Both hooks are registered exclusively under the wp_ajax_ prefix (requiring only a logged-in user), with no call to current_user_can() or check_ajax_referer(). This makes it possible for authenticated attackers with subscriber-level access and above to arbitrarily modify or delete plugin options controlling cron scheduling behavior (fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start) and to manipulate or clear the plugin's scheduled WordPress cron event (fbc_scheduled_update)."}], "id": "CVE-2026-6441", "lastModified": "2026-04-17T07:16:03.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T07:16:03.020", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/class-canto-settings.php#L603"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/class-canto.php#L231"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/class-canto.php#L572"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/canto/trunk/includes/class-canto-settings.php#L603"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/canto/trunk/includes/class-canto.php#L231"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/canto/trunk/includes/class-canto.php#L572"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c1a0200f-9861-4eca-adbf-d458eb6b4e63?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T08:20:54.804378+00:00", "value": {"mitigation_remediation": ["Update the Canto plugin to version 3.1.2 or higher. ", "If an immediate update is not possible, block access to the wp_ajax_updateOptions and wp_ajax_fbc_updateOptions endpoints for users without administrator privileges using a web application firewall or .htaccess rules. ", "Remove or disable the plugin\u2019s scheduled WordPress cron event manually and verify that no unauthorized changes occur."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Modification of Plugin Settings"}, "threat_synthesis": {"affected_systems": "This issue affects the Canto content management plugin for WordPress versions up to 3.1.1. Any WordPress site running that version, regardless of other plugins or theme, is vulnerable.", "description_and_impact": "The Canto WordPress plugin contains a missing authorization flaw in its AJAX endpoints updateOptions and fbc_updateOptions. The functions have no capability check or nonce validation, allowing any logged\u2011in user with subscriber rights or higher to call them. This vulnerability lets the attacker alter or delete all plugin configuration parameters that control cron scheduling and the scheduled WordPress cron event. The flaw is mapped to CWE\u2011862 and can effectively disable or modify the plugin\u2019s scheduled tasks.", "risk_and_exploitability": "The CVSS v3.1 score is 4.3, indicating moderate impact. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalogue, suggesting limited public exploitation data. Because the flaw is only exposed to authenticated users and no privileges are checked, any user with subscriber-level access can exploit it. The lack of a nonce check also means the attack can be performed via crafted HTTP requests, making it relatively straightforward for an insider or compromised account. While the current risk is moderate, the ability to change scheduled cron events could lead to denial of service or execution\u2011timing changes if a malicious actor gains access."}}}}, "created": "2026-04-17T08:30:13.697614+00:00", "updated": "2026-04-17T08:30:13.697626+00:00", "vendors": []}