The flightbycanto Canto WordPress plugin versions up to 3.1.1 contain a missing authorization vulnerability (CWE-862) in the updateOptions() function. Two AJAX hooks (wp_ajax_updateOptions and wp_ajax_fbc_updateOptions) are registered without any capability checks (current_user_can) or nonce verification (check_ajax_referer), requiring only that the user be logged in. This flaw enables authenticated users with subscriber-level privileges or higher to arbitrarily modify or delete plugin options controlling cron scheduling behavior and to manipulate or clear the plugin's scheduled WordPress cron event. The vulnerability affects plugin options such as fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start, and fbc_scheduled_update. No official patch or remediation level has been published as of the data provided.

The vulnerability allows authenticated users with low privileges (subscriber-level and above) to modify or delete plugin options related to cron scheduling and to manipulate the plugin's scheduled cron events. This impacts the integrity of the plugin's configuration but does not affect confidentiality or availability. There are no known exploits in the wild. The CVSS score is 4.3 (medium severity), reflecting low complexity and low privileges required but limited impact to integrity only.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles and capabilities carefully to limit access to authenticated users who do not require plugin configuration permissions. Monitor plugin updates from flightbycanto for an official fix addressing the missing authorization checks in the updateOptions() function.