CVE-2017-14507
published 2017-09-29CVE-2017-14507: Multiple SQL injection vulnerabilities in the Content Timeline plugin 4.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1)…
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.25%
91.5th percentile
Multiple SQL injection vulnerabilities in the Content Timeline plugin 4.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) timeline parameter in content_timeline_class.php; or the id parameter to (2) pages/content_timeline_edit.php or (3) pages/content_timeline_index.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shindiristudio | content_timeline | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline={inject here}↗
- →Monitor HTTP GET requests to /wp-admin/admin-ajax.php with the action parameter set to 'ctimeline_frontend_get' and a 'timeline' parameter containing SQL injection payloads (e.g., quotes, UNION, SLEEP, boolean expressions). ↗
- →Detect unsanitized 'timeline' GET parameter passed directly into SQL query: 'SELECT * FROM wp_ctimelines WHERE id=' — look for SQL metacharacters or keywords in the timeline parameter value. ↗
- →Detect unsanitized 'id' GET parameter in admin pages content_timeline_edit.php and content_timeline_index.php used directly in SELECT and DELETE SQL queries — flag requests to these paths with SQL injection patterns in the 'id' parameter. ↗
- →Flag DELETE queries triggered via content_timeline_index.php with an unsanitized 'id' parameter when action=delete, as this allows blind SQL injection via the id value. ↗
- →The vulnerability affects Content Timeline plugin version 4.4.2 for WordPress; flag installations of this exact version for patching or WAF rule enforcement. ↗
- ·The SQL injection via the 'timeline' parameter on admin-ajax.php is unauthenticated (frontend AJAX endpoint), making it remotely exploitable without credentials. The 'id' parameter injections in edit/index pages are within wp-admin and may require authentication depending on WordPress configuration. ↗
- ·These are blind SQL injection vulnerabilities — exploitation does not produce direct output in the HTTP response, so detection should also account for time-based (SLEEP) and boolean-based blind injection patterns in the monitored parameters. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-09-29
Published