CVE-2026-6441
Received Received - Intake
Missing Authorization in Canto WordPress Plugin Allows Option Manipulation

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: Wordfence

Description
The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp_ajax_updateOptions (class-canto.php line 231) and wp_ajax_fbc_updateOptions (class-canto-settings.php line 76). Both hooks are registered exclusively under the wp_ajax_ prefix (requiring only a logged-in user), with no call to current_user_can() or check_ajax_referer(). This makes it possible for authenticated attackers with subscriber-level access and above to arbitrarily modify or delete plugin options controlling cron scheduling behavior (fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start) and to manipulate or clear the plugin's scheduled WordPress cron event (fbc_scheduled_update).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6441
EUVD
EUVD-2026-23382
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
canto canto to 3.1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Canto plugin for WordPress has a vulnerability called Missing Authorization in versions up to and including 3.1.1. This happens because the updateOptions() function does not perform any capability checks or nonce verification. The function is accessible through two AJAX hooks that only require the user to be logged in, without verifying if the user has the right permissions.

As a result, any authenticated user with subscriber-level access or higher can modify or delete plugin options related to cron scheduling and manipulate or clear the plugin's scheduled WordPress cron event.

Impact Analysis

This vulnerability allows authenticated users with low-level access (subscriber or above) to arbitrarily change or delete important plugin settings that control scheduled tasks (cron jobs).

Such unauthorized modifications can disrupt the normal operation of the plugin's scheduled events, potentially causing failures in automated processes or unexpected behavior in the WordPress site.

Compliance Impact

The vulnerability allows authenticated attackers with subscriber-level access to modify or delete plugin options and manipulate scheduled cron events without proper authorization checks.

This unauthorized modification capability could potentially lead to integrity issues within the WordPress environment, which may impact compliance with standards and regulations that require strict access controls and data integrity, such as GDPR and HIPAA.

However, the provided information does not explicitly describe direct impacts on personal data confidentiality or availability, nor does it specify compliance violations.

Detection Guidance

This vulnerability can be detected by checking if the Canto plugin for WordPress is installed and running a version up to and including 3.1.1. Specifically, you can look for the presence of the AJAX hooks wp_ajax_updateOptions and wp_ajax_fbc_updateOptions which lack proper authorization checks.

Since the vulnerability involves unauthorized access to AJAX endpoints, you can monitor HTTP requests to these endpoints to detect suspicious activity.

Suggested commands to detect the vulnerability or exploitation attempts include:

  • Use curl or wget to test access to the AJAX endpoints (replace example.com with your site):
  • curl -i -X POST https://example.com/wp-admin/admin-ajax.php?action=updateOptions
  • curl -i -X POST https://example.com/wp-admin/admin-ajax.php?action=fbc_updateOptions
  • Check web server logs for POST requests to admin-ajax.php with these actions from authenticated users with low privileges.
  • Use WordPress CLI or plugin management commands to verify the installed version of the Canto plugin.
Mitigation Strategies

Immediate mitigation steps include:

  • Update the Canto plugin to a version later than 3.1.1 where this vulnerability is fixed.
  • Restrict access to the vulnerable AJAX endpoints by implementing proper capability checks or nonce verification.
  • Limit user roles that can access these AJAX actions to trusted users only.
  • Monitor and audit logs for suspicious activity targeting the wp_ajax_updateOptions and wp_ajax_fbc_updateOptions hooks.
  • If immediate update is not possible, consider disabling or removing the Canto plugin temporarily.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6441. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart