CVE-2026-3335 is a Medium-severity vulnerability (CVSS 5.3) affecting the Canto WordPress plugin in versions up to and including 3.1.1. The issue allows unauthenticated file upload due to missing authorization controls in a directly accessible plugin file. Details are tracked in the official CVE record (CVE-2026-3335) and were reported by Wordfence (source).

Attack Vectors

An attacker can target sites running the Canto plugin (<= 3.1.1) by making direct web requests to /wp-content/plugins/canto/includes/lib/copy-media.php.

Because the vulnerable file is directly accessible and does not require a logged-in session, attackers do not need valid WordPress credentials to attempt exploitation.

According to the published advisory, the request can include attacker-supplied POST parameters (including URL components such as fbc_flight_domain and fbc_app_api), enabling an attacker-controlled “fetch-and-upload” chain.

Security Weakness

The root cause is missing authorization checks (and related safeguards such as nonce validation) on a plugin endpoint that can be reached directly from the internet.

The advisory states that certain URL components are accepted from user-supplied POST parameters rather than being read solely from administrator-configured settings. As a result, an attacker can control where content is fetched from and how the upload process is driven.

Remediation note: At the time of the advisory, no known patch is available. Organizations should evaluate mitigations based on risk tolerance; in many cases, it may be safest to uninstall the affected plugin and move to an alternative solution.

Technical or Business Impacts

Website integrity risk: Unauthenticated file upload weaknesses can allow unwanted or unapproved content to be placed on the site. Even when the immediate CVSS impact shows “low integrity” (I:L), the operational impact can be significant if malicious files are introduced into the web environment.

Brand and campaign disruption: Marketing sites are often high-traffic and highly visible. If attackers can upload or stage content, you may face defacement, misleading landing pages, or disruptions to tracking and conversion flows—directly impacting pipeline and revenue attribution.

Incident response and compliance costs: Responding to a file-upload incident typically involves emergency site triage, forensic review, and potentially customer or regulator communications depending on exposure. Even without confirmed data theft, downtime and response effort create measurable business cost.

Risk management actions to consider: If you cannot remove Canto immediately, consider restricting direct access to the referenced plugin file at the web server or WAF level, increasing monitoring for unexpected file changes/uploads, and reviewing logs for unusual requests to the copy-media.php path. These steps are mitigations, not a substitute for a vendor patch.

Similar Attacks

Unauthenticated file upload issues have a history of being exploited broadly because they can be triggered remotely and at scale:

WP File Manager plugin zero-day (2020) — large-scale exposure tied to file upload/RCE risk