ThreatPress

WordPress Vulnerabilities Database

Back

WordPress Content Timeline plugin <=4.4.2 - Multiple Blind SQL Injection vulnerabilities

Product
Content Timeline
Description
Multiple Blind SQL Injection vulnerabilities found by Jeroen (ITNerdbox) in premium WordPress plugin - Content Timeline (<=4.4.2 ). It is possible to execute arbitrary SQL commands via the id parameter (content_timeline_class.php, content_timeline_edit.php, content_timeline_index.php).
Solution
We were unable to find any solution (last checked on October 3rd, 2017). Last available update according to the plugin changelog released on March 1st, 2017. We suggest to deactivate and uninstall the Content Timeline plugin until the patched version release.
Classification
Type SQL Injection
OWASP Top 10 A1: Injection
References
CVE
Name CVE-2017-14507
Versions
Affected In <=4.4.2
Disclosure date
2017-10-03
Credits
Jeroen (ITNerdbox)
Submitter
ThreatPress