# Exploit Title: Multiple Blind SQL Injections WordPress Plugin: Content Timeline# Google Dork: -# Date: September 16, 2017# Exploit Author: Jeroen - ITNerdbox# Vendor Homepage: http://www.shindiristudio.com/# Software Link: https://codecanyon.net/item/content-timeline-responsive-wordpress-plugin-for-displaying-postscategories-in-a-sliding-timeline/3027163# Version: 4.4.2# Tested on: Linux / Nginx / WordPress 4.8.1 / PHP 7.0.22# CVE : CVE-2017-14507## Proof of Concept
http(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline={inject here}## Problem in file : content_timeline_class.php
function ajax_frontend_get(){
$timelineId = $_GET['timeline'];
$id= $_GET['id'];global $wpdb;if($timelineId){
$timeline = $wpdb->get_results('SELECT * FROM '. $wpdb->prefix .'ctimelines WHERE id='.$timelineId);
$timeline = $timeline[0];
Problem exists in the GET parameter called 'timeline' which isnot sanitized and used in dynamically generating the
SQL syntax.## Problem in file : pages/content_timeline_edit.phpif(isset($_GET['id'])){global $wpdb;
$timeline = $wpdb->get_results('SELECT * FROM '. $wpdb->prefix .'ctimelines WHERE id='.$_GET['id']);
Problem exists in the GET parameter called 'id' which isnot sanitized and used in dynamically generating the
SQL syntax.## Problem in file : pages/content_timeline_index.phpif(isset($_GET['action'])&& $_GET['action']=='delete'){
$wpdb->query('DELETE FROM '. $prefix .'ctimelines WHERE id = '.$_GET['id']);}
Problem exists in the GET parameter called 'id' which isnot sanitized and used in dynamically generating the
SQL syntax.## History09-16-2017Contacted the author
09-16-2017Requested CVE-ID
09-18-2017CVE-ID Received
09-18-2017Contacted the author again
09-26-2017 No reaction from author, thus releasing.
