Vulnerabilities and security researches forartplacer-widget artplacer-widget

Jun 10, 2024

CVE, Research URL: CVE-2023-6373
Home page URL: Security reports for ArtPlacer Widget
Application: ArtPlacer Widget
Date: Jan 16, 2024
Research Description: The ArtPlacer Widget WordPress plugin before 2.20.7 does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also be exploited via a CSRF against a logged editor (or above)
Affected versions: max 2.20.7.
Status: vulnerable

Jul 21, 2024

CVE, Research URL: CVE-2023-7268
Home page URL: Security reports for ArtPlacer Widget
Application: ArtPlacer Widget
Date: Jul 19, 2024
Research Description: The ArtPlacer Widget WordPress plugin before 2.21.2 does not have authorisation check in place when deleting widgets, allowing ay authenticated users, such as subscriber, to delete arbitrary widgets
Affected versions: max 2.21.2.
Status: vulnerable

CVE, Research URL: CVE-2023-7269
Home page URL: Security reports for ArtPlacer Widget
Application: ArtPlacer Widget
Date: Jul 19, 2024
Research Description: The ArtPlacer Widget WordPress plugin before 2.21.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
Affected versions: max 2.21.2.
Status: vulnerable

Jan 10, 2026

CVE, Research URL: CVE-2025-67517
Home page URL: Security reports for ArtPlacer Widget
Application: ArtPlacer Widget
Date: Dec 09, 2025
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Blind SQL Injection.This issue affects ArtPlacer Widget: from n/a through <= 2.22.9.2.
Affected versions: max 2.22.9.2.
Status: vulnerable