WordPress Plugin Content Timeline - SQL Injection

EDB-ID:

42794


Platform:

PHP

Published:

2017-09-16

# Exploit Title: Multiple Blind SQL Injections Wordpress Plugin: Content Timeline
# Google Dork: -
# Date: September 16, 2017
# Exploit Author: Jeroen - ITNerdbox
# Vendor Homepage: http://www.shindiristudio.com/
# Software Link: https://codecanyon.net/item/content-timeline-responsive-wordpress-plugin-for-displaying-postscategories-in-a-sliding-timeline/3027163
# Version: 4.4.2
# Tested on: Linux / Nginx / Wordpress 4.8.1 / PHP 7.0.22
# CVE : CVE-2017-14507

## Proof of Concept

http(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline={inject here}

## Problem in file : content_timeline_class.php    

function ajax_frontend_get(){

        $timelineId = $_GET['timeline'];

        $id = $_GET['id'];

        global $wpdb;

        if($timelineId) {

                $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$timelineId);

                $timeline = $timeline[0];

Problem exists in the GET parameter called 'timeline' which is not sanitized and used in dynamically generating the

SQL syntax.

## Problem in file : pages/content_timeline_edit.php

    if(isset($_GET['id'])) {

        global $wpdb;

        $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$_GET['id']);

Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the

SQL syntax.

## Problem in file : pages/content_timeline_index.php

            if(isset($_GET['action']) && $_GET['action'] == 'delete') {

                $wpdb->query('DELETE FROM '. $prefix . 'ctimelines WHERE id = '.$_GET['id']);

            }

Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the

SQL syntax.

## History

09-16-2017        Contacted the author
09-16-2017        Requested CVE-ID
09-18-2017        CVE-ID Received
09-18-2017        Contacted the author again
09-26-2017 No reaction from author, thus releasing.