CVE-2023-7268 ArtPlacer Widget < 2.21.2 - Subscriber+ Arbitrary Widget Deletion

2024-07-1906:00:04

WPScan

github.com

cve-2023-7268

artplacer widget

wordpress plugin

authorisation check

authenticated users

subscriber

arbitrary widgets

AI Score

6.8

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

The ArtPlacer Widget WordPress plugin before 2.21.2 does not have authorisation check in place when deleting widgets, allowing ay authenticated users, such as subscriber, to delete arbitrary widgets

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:artplacer:artplacer_widget:*:*:*:*:*:wordpress:*:*"
    ],
    "vendor": "artplacer",
    "product": "artplacer_widget",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "2.21.2",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]