Content Timeline <= 4.4.2 - Multiple Blind SQL Injection

2017-10-03T00:00:00
ID WPVDB-ID:8921
Type wpvulndb
Reporter Jeroen - IT Nerdbox
Modified 2019-11-01T00:00:00

Description

WordPress Vulnerability - Content Timeline <= 4.4.2 - Multiple Blind SQL Injection

PoC

http(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline;={inject here} File: content_timeline_class.php (unauthenticated) function ajax_frontend_get(){ $timelineId = $_GET['timeline']; $id = $_GET['id']; global $wpdb; if($timelineId) { $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$timelineId); $timeline = $timeline[0]; User input $_GET['timeline'] is not sanitized and used to dynamically generate SQL syntax. File: pages/content_timeline_edit.php (authenticated) if(isset($_GET['id'])) { global $wpdb; $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$_GET['id']); User input $_GET['id'] is not sanitized and used to dynamically generate SQL syntax. File: pages/content_timeline_index.php if(isset($_GET['action']) && $_GET['action'] == 'delete') { $wpdb->query('DELETE FROM '. $prefix . 'ctimelines WHERE id = '.$_GET['id']); User input $_GET['id'] is not sanitized and used to dynamically generate SQL syntax.