CVE-2023-3452

CRITICAL NUCLEI LAB

Canto plugin for WordPress <=3.0.4 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2023-3452. PoCs published by leoanggal1, puppetma4ster, Alpastx. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits a Remote File Inclusion (RFI) vulnerability in the WordPress Canto plugin (CVE-2023-3452) via the 'wp_abspath' parameter, allowing unauthenticated attackers to execute arbitrary code if 'allow_url_include' is enabled. The exploit automates the process by hosting a malicious 'admin.php' file and triggering its inclusion on the target server.

Description

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. Local File Inclusion is also possible, albeit less useful because it requires that the attacker be able to upload a malicious php file via FTP or some other means into a directory readable by the web server.

Exploits (3)

nomisec WORKING POC 16 stars
by leoanggal1 · poc
https://github.com/leoanggal1/CVE-2023-3452-PoC

This PoC exploits a Remote File Inclusion (RFI) vulnerability in the WordPress Canto plugin (CVE-2023-3452) via the 'wp_abspath' parameter, allowing unauthenticated attackers to execute arbitrary code if 'allow_url_include' is enabled. The exploit automates the process by hosting a malicious 'admin.php' file and triggering its inclusion on the target server.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Canto Plugin < 3.0.5
No auth needed
Prerequisites: Target server must have 'allow_url_include' enabled in PHP configuration · Network access to the vulnerable WordPress instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by puppetma4ster · poc
https://github.com/puppetma4ster/Metasploit-Wordpress-Canto-Exploit-RCE

This repository contains a functional Metasploit module that exploits CVE-2023-3452 and CVE-2024-25096, which are remote file inclusion vulnerabilities in the WordPress Canto plugin. The exploit leverages unsanitized parameters (`abspath` and `wp_abspath`) to achieve remote code execution when `allow_url_include` is enabled in PHP.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Canto Plugin <= 3.0.6
No auth needed
Prerequisites: Canto plugin version <= 3.0.6 · PHP with `allow_url_include` enabled
devstral-2 · analyzed Mar 06, 2026 Full analysis →
nomisec WORKING POC
by Alpastx · poc
https://github.com/Alpastx/CVE-2023-3452---WordPress-Canto-Plugin-RCE

This repository contains a functional Python exploit for CVE-2023-3452, targeting an RFI vulnerability in the WordPress Canto Plugin (≤ 3.0.4). The exploit includes a local HTTP server to serve a malicious PHP payload and supports both HTTP and HTTPS targets by disabling SSL verification.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Canto Plugin ≤ 3.0.4
No auth needed
Prerequisites: Python 3.6+ · requests library · target must be able to reach attacker's machine on specified port
devstral-2 · analyzed Mar 03, 2026 Full analysis →

Nuclei Templates (1)

WordPress Canto Plugin <= 3.0.4 - File Inclusion
CRITICALVERIFIEDby omarkurt

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0562
EPSS Percentile 91.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull docker.io/library/wordpress:6.4

Details

CWE
CWE-98
Status published
Products (2)
canto/canto < 3.0.4
flightbycanto/Canto < 3.0.4
Published Aug 12, 2023
Tracked Since Feb 18, 2026