Canto WordPress Plugin Missing Authorization Vulnerability Allowing Unauthenticated File Upload

A vulnerability exists in the Canto plugin for WordPress, affecting all versions up to and including 3.1.1. The issue arises from the '/wp-content/plugins/canto/includes/lib/copy-media.php' file, which is accessible without authentication, authorization, or nonce checks. The vulnerability allows unauthenticated attackers to upload arbitrary files, restricted to WordPress-allowed MIME types, to the WordPress uploads directory. This exploitation is possible because the 'fbc_flight_domain' and 'fbc_app_api' parameters are accepted as user-supplied POST data, rather than being sourced from admin-configured options. Additionally, other endpoints such as 'detail.php', 'download.php', 'get.php', and 'tree.php' are also vulnerable and accessible without authentication.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads to the WordPress uploads directory, which could lead to further exploitation, such as executing malicious code if the uploaded file is executed by the server.

Reproduction

To reproduce this vulnerability, send a POST request to the 'copy-media.php' file within the Canto plugin directory. Include the 'fbc_flight_domain' and 'fbc_app_api' parameters with values that the attacker controls. The 'fbc_app_token' must also be provided. The request can be made without authentication, authorization, or nonce checks. Once the request is processed, the uploaded file will be found in the WordPress uploads directory.