Content Timeline <= 4.4.2 - Multiple Blind SQL Injection

Multiple Blind SQL injections in the premium ‘Content Timeline’ Plugin. One unauthenticated and two authenticated injections. Contacted the author twice without any response. ## History: 09-16-2017 Contacted the author 09-16-2017 Requested CVE-ID 09-18-2017 CVE-ID Received 09-18-2017 Contacted the author again 09-26-2017 No reaction from author, thus releasing.

PoC

http(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline;={inject here} File: content_timeline_class.php (unauthenticated) function ajax_frontend_get(){ $timelineId = $_GET[‘timeline’]; $id = $_GET[‘id’]; global $wpdb; if($timelineId) { $timeline = $wpdb->get_results('SELECT * FROM ’ . $wpdb->prefix . ‘ctimelines WHERE id=’.$timelineId); $timeline = $timeline[0]; User input $_GET[‘timeline’] is not sanitized and used to dynamically generate SQL syntax. File: pages/content_timeline_edit.php (authenticated) if(isset($_GET[‘id’])) { global $wpdb; $timeline = $wpdb->get_results('SELECT * FROM ’ . $wpdb->prefix . ‘ctimelines WHERE id=’.$_GET[‘id’]); User input $_GET[‘id’] is not sanitized and used to dynamically generate SQL syntax. File: pages/content_timeline_index.php if(isset($_GET[‘action’]) && $_GET[‘action’] == ‘delete’) { $wpdb->query('DELETE FROM '. $prefix . 'ctimelines WHERE id = '.$_GET[‘id’]); User input $_GET[‘id’] is not sanitized and used to dynamically generate SQL syntax.