CVE-2023-6373

CWE-89SQL InjectionCWE-352Cross-Site Request Forgery (CSRF)3 documents3 sources
Severity
8.8HIGH
EPSS
0.2%
top 54.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Artplacer WidgetArtplacer Artplacer Widget
Timeline
PublishedJan 16

Description

The ArtPlacer Widget WordPress plugin before 2.20.7 does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also be exploited via a CSRF against a logged editor (or above)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5unknown/artplacer_widget< 2.20.7

🔴Vulnerability Details

2
GHSA
GHSA-pm8g-4f93-7m8m: The ArtPlacer Widget WordPress plugin before 22024-01-16
CVEList
ArtPlacer Widget < 2.20.7 - Editor+ SQLi2024-01-16
CVE-2023-6373 (HIGH CVSS 8.8) | The ArtPlacer Widget WordPress plug | cvebase.io