vendor:
Content Timeline
by:
Jeroen - ITNerdbox
9.8
CVSS
CRITICAL
Blind SQL Injection
89
CWE
Product Name: Content Timeline
Affected Version From: 4.4.2002
Affected Version To: 4.4.2002
Patch Exists: NO
Related CWE: CVE-2017-14507
CPE: a:shindiristudio:content_timeline:4.4.2
Platforms Tested: Linux
2017
Multiple Blind SQL Injections WordPress Plugin: Content Timeline
The vulnerability exists in the 'timeline' and 'id' GET parameters which are not sanitized and used in dynamically generating SQL syntax.
Mitigation:
Sanitize user input before using it in SQL queries. Use prepared statements or parameterized queries.