SQL Injection Vulnerability in Timeline Designer Plugin for WordPress
CVE-2024-11437

4.9MEDIUM

Key Information:

Vendor
Wordpress
Vendor
CVE Published:
7 January 2025

Summary

The Timeline Designer plugin for WordPress has a vulnerability that allows SQL Injection through the 's' parameter in all versions up to and including 1.4. This issue arises from insufficient parameter escaping and a lack of proper SQL query preparation. As a result, unauthenticated attackers can manipulate existing SQL queries to extract sensitive information from the database, posing a significant risk to user data and overall site integrity.

Affected Version(s)

Timeline Designer * <= 1.4

References

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Colin Xu
.