ArtPlacer Widget < 2.20.7 - Editor+ SQLi
CVE-2023-6373
Key Information:
- Vendor
- Wordpress
- Status
- Vendor
- CVE Published:
- 16 January 2024
Badges
Summary
The ArtPlacer Widget WordPress plugin is prone to a SQL injection vulnerability due to inadequate sanitization and escaping of the 'id' parameter in user-submitted queries. This weakness allows attackers with editor privileges or above to manipulate SQL queries, potentially exposing sensitive database information. Furthermore, the absence of a Cross-Site Request Forgery (CSRF) check enhances the exploitability, enabling unauthorized actions through CSRF against authenticated users, significantly increasing the risk to affected WordPress installations.
Affected Version(s)
ArtPlacer Widget 0 < 2.20.7
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved