# Exploit Title: Multiple Blind SQL Injections Wordpress Plugin: Content Timeline
# Google Dork: -
# Date: September 16, 2017
# Exploit Author: Jeroen - ITNerdbox
# Vendor Homepage: http://www.shindiristudio.com/
# Software Link: https://codecanyon.net/item/content-timeline-responsive-wordpress-plugin-for-displaying-postscategories-in-a-sliding-timeline/3027163
# Version: 4.4.2
# Tested on: Linux / Nginx / Wordpress 4.8.1 / PHP 7.0.22
# CVE : CVE-2017-14507
## Proof of Concept
http(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline={inject here}
## Problem in file : content_timeline_class.php
function ajax_frontend_get(){
$timelineId = $_GET['timeline'];
$id = $_GET['id'];
global $wpdb;
if($timelineId) {
$timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$timelineId);
$timeline = $timeline[0];
Problem exists in the GET parameter called 'timeline' which is not sanitized and used in dynamically generating the
SQL syntax.
## Problem in file : pages/content_timeline_edit.php
if(isset($_GET['id'])) {
global $wpdb;
$timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$_GET['id']);
Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the
SQL syntax.
## Problem in file : pages/content_timeline_index.php
if(isset($_GET['action']) && $_GET['action'] == 'delete') {
$wpdb->query('DELETE FROM '. $prefix . 'ctimelines WHERE id = '.$_GET['id']);
}
Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the
SQL syntax.
## History
09-16-2017 Contacted the author
09-16-2017 Requested CVE-ID
09-18-2017 CVE-ID Received
09-18-2017 Contacted the author again
09-26-2017 No reaction from author, thus releasing.
