CVE-2023-6373
Published: 16 January 2024
Summary
CVE-2023-6373 is a high-severity SQL Injection (CWE-89) vulnerability in Artplacer Artplacer Widget. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Owner/User Discovery (T1033); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58614
Vulnerability details
The ArtPlacer Widget WordPress plugin before 2.20.7 does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also…
more
be exploited via a CSRF against a logged editor (or above)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection via unsanitized 'id' parameter enables arbitrary database queries by editors+, facilitating system owner/user discovery (T1033), local group/role discovery (T1069.001), local account discovery (T1087.001), and data collection from the WordPress database (T1213.006). CSRF lack amplifies via tricked logged-in users.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.