Vulners
Lucene search
WordPress Plugin Content Timeline - SQL Injection
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | WordPress Content Timeline Plugin SQL Injection Vulnerability | 29 Sep 201700:00 | – | cnvd |
 | CVE-2017-14507 | 28 Sep 201719:00 | – | cve |
 | CVE-2017-14507 | 28 Sep 201719:00 | – | cvelist |
 | EUVD-2017-6008 | 7 Oct 202500:30 | – | euvd |
 | WordPress Plugin Content Timeline - SQL Injection | 16 Sep 201700:00 | – | exploitpack |
 | CVE-2017-14507 | 29 Sep 201701:34 | – | nvd |
 | CVE-2017-14507 | 29 Sep 201701:34 | – | osv |
 | WordPress Content Timeline plugin <=4.4.2 - Multiple Blind SQL Injection vulnerabilities | 3 Oct 201700:00 | – | patchstack |
 | Sql injection | 29 Sep 201701:34 | – | prion |
 | Content Timeline <= 4.4.2 - Multiple Blind SQL Injection | 26 Sep 201700:00 | – | wpexploit |
10
# Exploit Title: Multiple Blind SQL Injections Wordpress Plugin: Content Timeline
# Google Dork: -
# Date: September 16, 2017
# Exploit Author: Jeroen - ITNerdbox
# Vendor Homepage: http://www.shindiristudio.com/
# Software Link: https://codecanyon.net/item/content-timeline-responsive-wordpress-plugin-for-displaying-postscategories-in-a-sliding-timeline/3027163
# Version: 4.4.2
# Tested on: Linux / Nginx / Wordpress 4.8.1 / PHP 7.0.22
# CVE : CVE-2017-14507
## Proof of Concept
http(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline={inject here}
## Problem in file : content_timeline_class.php
function ajax_frontend_get(){
$timelineId = $_GET['timeline'];
$id = $_GET['id'];
global $wpdb;
if($timelineId) {
$timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$timelineId);
$timeline = $timeline[0];
Problem exists in the GET parameter called 'timeline' which is not sanitized and used in dynamically generating the
SQL syntax.
## Problem in file : pages/content_timeline_edit.php
if(isset($_GET['id'])) {
global $wpdb;
$timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$_GET['id']);
Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the
SQL syntax.
## Problem in file : pages/content_timeline_index.php
if(isset($_GET['action']) && $_GET['action'] == 'delete') {
$wpdb->query('DELETE FROM '. $prefix . 'ctimelines WHERE id = '.$_GET['id']);
}
Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the
SQL syntax.
## History
09-16-2017 Contacted the author
09-16-2017 Requested CVE-ID
09-18-2017 CVE-ID Received
09-18-2017 Contacted the author again
09-26-2017 No reaction from author, thus releasing.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Sep 2017 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 27.5
CVSS 39.8
EPSS0.07947