Content Timeline <= 4.4.2 - Multiple Blind SQL Injection



Description
Multiple Blind SQL injections in the premium 'Content Timeline' Plugin. One unauthenticated and two authenticated injections.

Contacted the author twice without any response.

## History:

09-16-2017        Contacted the author
09-16-2017        Requested CVE-ID
09-18-2017        CVE-ID Received
09-18-2017        Contacted the author again
09-26-2017        No reaction from author, thus releasing.
Proof of Concept
http(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline={inject here}

File: content_timeline_class.php (unauthenticated)

function ajax_frontend_get(){ 
        $timelineId = $_GET['timeline'];
         $id = $_GET['id'];
         global $wpdb;
         if($timelineId) {
                 $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$timelineId);
                 $timeline = $timeline[0];

User input $_GET['timeline'] is not sanitized and used to dynamically generate SQL syntax.


File: pages/content_timeline_edit.php (authenticated)
 
    if(isset($_GET['id'])) {
         global $wpdb;
         $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$_GET['id']);

User input $_GET['id'] is not sanitized and used to dynamically generate SQL syntax.


File: pages/content_timeline_index.php
 
    if(isset($_GET['action']) && $_GET['action'] == 'delete') { 
         $wpdb->query('DELETE FROM '. $prefix . 'ctimelines WHERE id = '.$_GET['id']);

User input $_GET['id'] is not sanitized and used to dynamically generate SQL syntax.

Affects Plugin

fixed in version 4.4.3

References

CVE 2017-14507
EXPLOITDB 42794
URL https://codecanyon.net/item/content-timeline-responsive-wordpress-plugin-for-displaying-postscategories-in-a-sliding-timeline/3027163

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Jeroen - IT Nerdbox
Submitter Website https://nerdbox.it/
Submitter Twitter @ITNerdbox
Views 587
Verified No
WPVDB ID 8921

Timeline

Publicly Published 2017-09-26 (about 1 year ago)
Added 2017-10-03 (about 1 year ago)
Last Updated 2018-08-05 (3 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.