Canto WordPress Plugin Missing Authorization Vulnerability Allowing Arbitrary Setting Modification

A vulnerability exists in the Canto plugin for WordPress, specifically in versions up to and including 3.1.1. The issue arises from a missing authorization check in the 'updateOptions' function, which is accessible through two AJAX hooks. These hooks require only a logged-in user, allowing authenticated attackers with subscriber-level access or higher to manipulate plugin options related to cron scheduling and to interfere with the plugin's scheduled WordPress cron events.

Impact

Exploitation of this vulnerability allows for unauthorized modification or deletion of specific plugin settings, particularly those related to cron schedules and associated WordPress cron events.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access can send a request to the 'wp_ajax_updateOptions' or 'wp_ajax_fbc_updateOptions' hooks. This can be done using a tool like Postman or through custom JavaScript that interacts with the WordPress AJAX API. The request must include the 'action' parameter set to 'fbc_updateOptions' and can also include other parameters to modify the plugin's settings, such as 'duplicates', 'cron', 'schedule', 'cron_time_day', 'cron_time_hour', and 'cron_time_month'.

Remediation

Users are advised to update to the latest version of the Canto WordPress plugin, where this vulnerability has been addressed.