SQL Injection Vulnerability in Timeline Designer Plugin for WordPress
CVE-2024-11437
4.9MEDIUM
Summary
The Timeline Designer plugin for WordPress has a vulnerability that allows SQL Injection through the 's' parameter in all versions up to and including 1.4. This issue arises from insufficient parameter escaping and a lack of proper SQL query preparation. As a result, unauthenticated attackers can manipulate existing SQL queries to extract sensitive information from the database, posing a significant risk to user data and overall site integrity.
Affected Version(s)
Timeline Designer * <= 1.4
References
CVSS V3.1
Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Colin Xu