Wordpress Plugin Canto 1.3.0 Blind SSRF (Unauthenticated)

Credit: Pankaj Verma
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-918

CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated) # Date: 03/12/2020 # Exploit Author: Pankaj Verma (_p4nk4j) # Vendor Homepage: https://www.canto.com/integrations/wordpress/ # Software Link: https://github.com/CantoDAM/Canto-Wordpress-Plugin # Version: 1.3.0 # Tested on: Ubuntu 18.04 # CVE: CVE-2020-28976, CVE-2020-28977, CVE-2020-28978 Description:- The Canto plugin 1.3.0 for WordPress contains Blind SSRF Vulnerabilities. It allows an unauthenticated attacker to make a request to any Internal and External Server via "subdomain" parameter. Vulnerable Parameters and Endpoints:- https://target/wp-content/plugins/canto/includes/lib/detail.php?subdomain= https://target/wp-content/plugins/canto/includes/lib/get.php?subdomain= https://target/wp-content/plugins/canto/includes/lib/tree.php?subdomain= Steps To Reproduce:- 1. Start a Netcat Listener on any port For e.g. 4499 2. Navigate to "<wordpress_server>/wp-content/plugins/canto/includes/lib/detail.php?subdomain=" 3. Add the Attacker's IP and Port For e.g. "" to "subdomain=" parameter. 4. Observe the response we got from the Target on Attacker's Listener. Note:- Using "?" in the payload is mandatory as it acts as a bypass to conduct this attack.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com


Back to Top