The Canto WordPress plugin up to version 3.1.1 suffers from a Missing Authorization vulnerability (CWE-862) due to the absence of capability checks and nonce verification in the updateOptions() function. This function is exposed through two AJAX hooks (wp_ajax_updateOptions and wp_ajax_fbc_updateOptions) that require only a logged-in user, without verifying user capabilities or nonces. Consequently, authenticated users with low privileges (subscriber-level and above) can arbitrarily modify or delete plugin options controlling cron scheduling behavior and manipulate the plugin's scheduled cron events.

An attacker with subscriber-level access or higher can alter or delete critical plugin options related to cron scheduling, potentially disrupting scheduled tasks managed by the plugin. This could affect the plugin's intended functionality but does not directly impact confidentiality or availability beyond the plugin's scope. There is no indication of remote code execution or data disclosure from this vulnerability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles to trusted users only and monitor for unauthorized changes to plugin options. Avoid granting subscriber-level access to untrusted users. Implement manual capability checks or nonce verification in the affected AJAX hooks if possible.