CVE-2024-25096

CRITICAL LAB

Canto < 3.0.7 - Unauthenticated Remote Code Execution

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-25096. PoCs published by puppetma4ster.

AI-analyzed exploit summary This repository contains a functional Metasploit module that exploits CVE-2024-25096 and CVE-2023-3452, which are remote file inclusion vulnerabilities in the WordPress Canto plugin. The exploit leverages unsanitized parameters (`abspath` and `wp_abspath`) to achieve remote code execution when PHP's `allow_url_include` is enabled.

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Canto Inc. Canto allows Code Injection.This issue affects Canto: from n/a through 3.0.7.

Exploits (2)

nomisec WORKING POC

by puppetma4ster · poc

https://github.com/puppetma4ster/Metasploit-Wordpress-Canto-Exploit-RCE

View Code ZIP pw:eip

This repository contains a functional Metasploit module that exploits CVE-2024-25096 and CVE-2023-3452, which are remote file inclusion vulnerabilities in the WordPress Canto plugin. The exploit leverages unsanitized parameters (`abspath` and `wp_abspath`) to achieve remote code execution when PHP's `allow_url_include` is enabled.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Canto Plugin <= 3.0.6

No auth needed

Prerequisites: Canto plugin version <= 3.0.6 · PHP with `allow_url_include` enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 06, 2026 Full analysis →

nomisec WORKING POC

by puppetma4ster · poc

https://github.com/puppetma4ster/Metasploit-Wordpress-Canto-Exploit-RCE-CVE-2024-25096

View Code ZIP pw:eip

This repository contains a functional Metasploit exploit module for CVE-2024-25096, targeting an unauthenticated file upload vulnerability in the Canto WordPress plugin (versions <= 3.0.7). The exploit leverages RFI (Remote File Inclusion) to achieve RCE by serving a malicious PHP payload via an HTTP server.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Canto plugin <= 3.0.7

No auth needed

Prerequisites: Metasploit framework · network access to target WordPress site · vulnerable Canto plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 01, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory vdb-entry

https://patchstack.com/database/vulnerability/canto/wordpress-canto-plugin-3-0-6-unauthenticated-remote-code-execution-rce-vulnerability?_s_id=cve

Scores

CVSS v3 10.0

EPSS 0.0069

EPSS Percentile 47.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull docker.io/library/wordpress:6.4

https://github.com/puppetma4ster/Metasploit-Wordpress-Canto-Exploit-RCE-CVE-2024-25096

https://github.com/puppetma4ster/Metasploit-Wordpress-Canto-Exploit-RCE

View in Library

Details

CWE

CWE-94

Status published

Products (2)

canto/canto < 3.0.7

Canto Inc./Canto < 3.0.7

Published Apr 03, 2024

Tracked Since Feb 18, 2026