The flightbycanto Canto plugin for WordPress, versions up to and including 3.1.1, contains a critical missing authorization vulnerability (CWE-862) identified as CVE-2026-3335. The vulnerability exists primarily in the /wp-content/plugins/canto/includes/lib/copy-media.php file, which is accessible without any authentication, authorization, or nonce verification. This endpoint accepts POST parameters fbc_flight_domain and fbc_app_api directly from the user instead of reading them from admin-configured options. Consequently, an attacker can control the entire fetch-and-upload process by supplying a malicious fbc_app_token and controlling the destination server, effectively bypassing the legitimate Canto API. This allows the attacker to upload arbitrary files constrained only by WordPress-allowed MIME types to the WordPress uploads directory. Additional endpoints such as detail.php, download.php, get.php, and tree.php also lack authentication and accept user-supplied app_api parameters combined with an admin-configured subdomain, further expanding the attack surface. The vulnerability does not require any privileges or user interaction, making it remotely exploitable over the network. Although the CVSS score is 5.3 (medium), the primary impact is on integrity due to unauthorized file uploads, which could lead to further attacks such as webshell deployment or defacement if combined with other vulnerabilities or misconfigurations. No patches or mitigations are currently linked, and no known exploits have been reported in the wild as of the publication date.

This vulnerability allows unauthenticated attackers to upload arbitrary files to the WordPress uploads directory, potentially enabling malicious actors to deploy webshells, deface websites, or execute further attacks leveraging uploaded content. While the MIME types are constrained by WordPress settings, attackers can still upload executable scripts disguised as allowed types if the server executes them, leading to a compromise of website integrity. The lack of authentication on multiple endpoints increases the risk of automated exploitation at scale. Organizations running the affected plugin versions face risks including unauthorized content injection, potential privilege escalation if combined with other vulnerabilities, and reputational damage from website defacement or data tampering. The vulnerability does not directly impact confidentiality or availability but can serve as a foothold for more severe attacks. Since the plugin is used in WordPress environments, which are widespread globally, the threat could affect a broad range of organizations, especially those relying on the Canto plugin for media management. The absence of known exploits in the wild currently limits immediate impact but does not reduce the urgency for remediation.

1. Immediately restrict access to the vulnerable endpoints (/copy-media.php, detail.php, download.php, get.php, tree.php) by implementing authentication and authorization checks at the web server or application level to prevent unauthenticated access. 2. Validate and sanitize all user-supplied POST parameters, especially fbc_flight_domain, fbc_app_api, and app_api, ensuring they cannot override admin-configured options or redirect to attacker-controlled servers. 3. Disable or remove the Canto plugin if it is not essential, or upgrade to a patched version once available. 4. Implement strict MIME type validation and consider disabling execution of uploaded files in the WordPress uploads directory by configuring the web server to prevent script execution. 5. Monitor web server logs for suspicious POST requests to the affected endpoints and unusual file uploads. 6. Employ Web Application Firewalls (WAFs) with custom rules to block unauthorized access attempts to these plugin endpoints. 7. Conduct a thorough audit of uploaded files to detect and remove any malicious content that may have been uploaded prior to mitigation. 8. Follow WordPress security best practices, including least privilege principles for plugin usage and regular updates.