Description
WordPress Plugin Canto is prone to multiple server-side request forgery vulnerabilities. An attacker may leverage these issues to make the vulnerable server perform port scanning of hosts in internal or external networks; other attacks are also possible. WordPress Plugin Canto version 1.7.0 is vulnerable; prior versions may also be affected.
Remediation
Disable the plugin until a fix is available
References
https://gist.github.com/p4nk4jv/87aebd999ce4b28063943480e95fd9e0
https://www.exploit-db.com/exploits/49189
https://packetstormsecurity.com/files/160358/WordPress-Canto-1.3.0-Server-Side-Request-Forgery.html