Cyber Resilience

CVE-2023-6373

HighPublic PoC

Published: 16 January 2024

Published
16 January 2024
Modified
11 June 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 45.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6373 is a high-severity SQL Injection (CWE-89) vulnerability in Artplacer Artplacer Widget. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Owner/User Discovery (T1033); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

The ArtPlacer Widget WordPress plugin before 2.20.7 does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also…

more

be exploited via a CSRF against a logged editor (or above)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1033 System Owner/User Discovery Discovery
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.
T1069.001 Local Groups Discovery
Adversaries may attempt to find local system groups and permission settings.
T1087.001 Local Account Discovery
Adversaries may attempt to get a listing of local system accounts.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection via unsanitized 'id' parameter enables arbitrary database queries by editors+, facilitating system owner/user discovery (T1033), local group/role discovery (T1069.001), local account discovery (T1087.001), and data collection from the WordPress database (T1213.006). CSRF lack amplifies via tricked logged-in users.

Affected Assets

artplacer
artplacer widget
≤ 2.20.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References