cbcvebase.
CVE-2017-14507
published 2017-09-29

CVE-2017-14507: Multiple SQL injection vulnerabilities in the Content Timeline plugin 4.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1)…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.25%
91.5th percentile
Multiple SQL injection vulnerabilities in the Content Timeline plugin 4.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) timeline parameter in content_timeline_class.php; or the id parameter to (2) pages/content_timeline_edit.php or (3) pages/content_timeline_index.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
shindiristudiocontent_timeline

Detection & IOCsextracted from sources · hover to see the quote

urlhttp(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline={inject here}
path/wp-admin/admin-ajax.php
pathcontent_timeline_class.php
pathpages/content_timeline_edit.php
pathpages/content_timeline_index.php
  • Monitor HTTP GET requests to /wp-admin/admin-ajax.php with the action parameter set to 'ctimeline_frontend_get' and a 'timeline' parameter containing SQL injection payloads (e.g., quotes, UNION, SLEEP, boolean expressions).
  • Detect unsanitized 'timeline' GET parameter passed directly into SQL query: 'SELECT * FROM wp_ctimelines WHERE id=' — look for SQL metacharacters or keywords in the timeline parameter value.
  • Detect unsanitized 'id' GET parameter in admin pages content_timeline_edit.php and content_timeline_index.php used directly in SELECT and DELETE SQL queries — flag requests to these paths with SQL injection patterns in the 'id' parameter.
  • Flag DELETE queries triggered via content_timeline_index.php with an unsanitized 'id' parameter when action=delete, as this allows blind SQL injection via the id value.
  • The vulnerability affects Content Timeline plugin version 4.4.2 for WordPress; flag installations of this exact version for patching or WAF rule enforcement.
  • ·The SQL injection via the 'timeline' parameter on admin-ajax.php is unauthenticated (frontend AJAX endpoint), making it remotely exploitable without credentials. The 'id' parameter injections in edit/index pages are within wp-admin and may require authentication depending on WordPress configuration.
  • ·These are blind SQL injection vulnerabilities — exploitation does not produce direct output in the HTTP response, so detection should also account for time-based (SLEEP) and boolean-based blind injection patterns in the monitored parameters.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.