Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbJeroen - IT NerdboxEDB-ID:42794
HistorySep 16, 2017 - 12:00 a.m.

WordPress Plugin Content Timeline - SQL Injection

2017-09-1600:00:00
Jeroen - IT Nerdbox
www.exploit-db.com
137

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.003

Percentile

66.1%

JSON
# Exploit Title: Multiple Blind SQL Injections Wordpress Plugin: Content Timeline
# Google Dork: -
# Date: September 16, 2017
# Exploit Author: Jeroen - ITNerdbox
# Vendor Homepage: http://www.shindiristudio.com/
# Software Link: https://codecanyon.net/item/content-timeline-responsive-wordpress-plugin-for-displaying-postscategories-in-a-sliding-timeline/3027163
# Version: 4.4.2
# Tested on: Linux / Nginx / Wordpress 4.8.1 / PHP 7.0.22
# CVE : CVE-2017-14507

## Proof of Concept

http(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline={inject here}

## Problem in file : content_timeline_class.php    

function ajax_frontend_get(){

        $timelineId = $_GET['timeline'];

        $id = $_GET['id'];

        global $wpdb;

        if($timelineId) {

                $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$timelineId);

                $timeline = $timeline[0];

Problem exists in the GET parameter called 'timeline' which is not sanitized and used in dynamically generating the

SQL syntax.

## Problem in file : pages/content_timeline_edit.php

    if(isset($_GET['id'])) {

        global $wpdb;

        $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$_GET['id']);

Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the

SQL syntax.

## Problem in file : pages/content_timeline_index.php

            if(isset($_GET['action']) && $_GET['action'] == 'delete') {

                $wpdb->query('DELETE FROM '. $prefix . 'ctimelines WHERE id = '.$_GET['id']);

            }

Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the

SQL syntax.

## History

09-16-2017        Contacted the author
09-16-2017        Requested CVE-ID
09-18-2017        CVE-ID Received
09-18-2017        Contacted the author again
09-26-2017 No reaction from author, thus releasing.

Related

prion 1
patchstack 1
cvelist 1
nvd 1
exploitpack 1
wpvulndb 1
wpexploit 1
cve 1
prion
prion
Sql injection
2017-09-29 01:34:00
patchstack
patchstack
WordPress Content Timeline plugin <=4.4.2 - Multiple Blind SQL Injection vulnerabilities
2017-10-03 00:00:00
cvelist
cvelist
CVE-2017-14507
2017-09-28 19:00:00
nvd
nvd
CVE-2017-14507
2017-09-29 01:34:49
exploitpack
exploitpack
WordPress Plugin Content Timeline - SQL Injection
2017-09-16 00:00:00
wpvulndb
wpvulndb
Content Timeline <= 4.4.2 - Multiple Blind SQL Injection
2017-09-26 00:00:00
wpexploit
wpexploit
Content Timeline <= 4.4.2 - Multiple Blind SQL Injection
2017-09-26 00:00:00
cve
cve
CVE-2017-14507
2017-09-29 01:34:49

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.003

Percentile

66.1%

JSON
Related for EDB-ID:42794
prion1patchstack1cvelist1nvd1exploitpack1wpvulndb1wpexploit1cve1