CVE-2020-28976

MEDIUM NUCLEI

WordPress Canto Plugin 1.3.0 - Blind Server-Side Request Forgery via detail.php

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-28976. PoCs published by Pankaj Verma. A Nuclei detection template is also available.

AI-analyzed exploit summary The exploit describes a Blind SSRF vulnerability in the WordPress Canto plugin 1.3.0, where an unauthenticated attacker can make requests to internal/external servers via the 'subdomain' parameter in multiple endpoints. The writeup includes technical details such as vulnerable parameters, endpoints, and reproduction steps.

Description

The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF.

Exploits (1)

exploitdb WRITEUP
by Pankaj Verma · textwebappsmultiple
https://www.exploit-db.com/exploits/49189

The exploit describes a Blind SSRF vulnerability in the WordPress Canto plugin 1.3.0, where an unauthenticated attacker can make requests to internal/external servers via the 'subdomain' parameter in multiple endpoints. The writeup includes technical details such as vulnerable parameters, endpoints, and reproduction steps.

Classification
Writeup 90%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Reliable
Target: WordPress Canto Plugin 1.3.0
No auth needed
Prerequisites: Access to the target WordPress instance with the Canto plugin installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

WordPress Canto 1.3.0 - Blind Server-Side Request Forgery
MEDIUMby LogicalHunter

References (5)

Core 5

Scores

CVSS v3 5.3
EPSS 0.2604
EPSS Percentile 97.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-918
Status published
Products (1)
canto/canto 1.3.0
Published Nov 30, 2020
Tracked Since Feb 18, 2026