Content Timeline <= 4.4.2 – Multiple Blind SQL Injection | CVE 2017-14507

Description

Multiple Blind SQL injections in the premium 'Content Timeline' Plugin. One unauthenticated and two authenticated injections.

Contacted the author twice without any response.

## History:

09-16-2017 Contacted the author
09-16-2017 Requested CVE-ID
09-18-2017 CVE-ID Received
09-18-2017 Contacted the author again
09-26-2017 No reaction from author, thus releasing.

Proof of Concept

http(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline={inject here}

File: content_timeline_class.php (unauthenticated)

function ajax_frontend_get(){ 
        $timelineId = $_GET['timeline'];
         $id = $_GET['id'];
         global $wpdb;
         if($timelineId) {
                 $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$timelineId);
                 $timeline = $timeline[0];

User input $_GET['timeline'] is not sanitized and used to dynamically generate SQL syntax.


File: pages/content_timeline_edit.php (authenticated)
 
    if(isset($_GET['id'])) {
         global $wpdb;
         $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$_GET['id']);

User input $_GET['id'] is not sanitized and used to dynamically generate SQL syntax.


File: pages/content_timeline_index.php
 
    if(isset($_GET['action']) && $_GET['action'] == 'delete') { 
         $wpdb->query('DELETE FROM '. $prefix . 'ctimelines WHERE id = '.$_GET['id']);

User input $_GET['id'] is not sanitized and used to dynamically generate SQL syntax.