CVE-2023-6373

Name of the Vulnerable Software and Affected Versions ArtPlacer Widget WordPress plugin versions prior to 2.20.7

Description The issue is related to the lack of sanitization and escaping of the id parameter before submitting a query, leading to a SQL injection (SQLI) that can be exploited by editors and above. Due to the absence of a CSRF check, the issue could also be exploited via a CSRF attack against a logged-in editor or higher.

Recommendations For versions prior to 2.20.7, update to version 2.20.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality for editors and above until the update is applied. Additionally, restrict the use of the id parameter in queries to minimize the risk of exploitation.