CVE-2026-1228
📋 TL;DR
This vulnerability allows authenticated WordPress users with Author-level permissions or higher to access private timeline content they shouldn't see. Attackers can exploit missing validation in the timeline shortcode to bypass access controls and view restricted timeline entries. Only WordPress sites using the Timeline Block plugin are affected.
💻 Affected Systems
- Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Author-level users could systematically extract all private timeline content, potentially exposing sensitive internal information, project timelines, or confidential planning data.
Likely Case
Malicious authors or compromised author accounts accessing specific private timeline entries they weren't authorized to view.
If Mitigated
Minimal impact if proper user access controls are enforced and authors are trusted, though information disclosure still occurs.
🎯 Exploit Status
Exploitation requires Author-level WordPress credentials. Attack involves manipulating the 'id' parameter in timeline shortcodes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3446078/timeline-block-block
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Timeline Block – Beautiful Timeline Builder'
4. Click 'Update Now' if update available
5. If no update appears, manually download version 1.3.4+ from WordPress.org
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the Timeline Block plugin until patched
wp plugin deactivate timeline-block-block
wp plugin delete timeline-block-block
Restrict author permissions
allReview and reduce Author-level user permissions or convert to Contributor roles
🧯 If You Can't Patch
- Implement strict access controls and monitor Author-level user activity
- Use web application firewall rules to block suspicious timeline shortcode parameter manipulation
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Timeline Block plugin version. If version is 1.3.3 or lower, you are vulnerable.Check Version:
wp plugin get timeline-block-block --field=versionVerify Fix Applied:
Verify plugin version is 1.3.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual timeline shortcode usage patterns by Author users
- Multiple failed access attempts to non-existent timeline IDs
Network Indicators:
- HTTP requests with manipulated 'id' parameters in timeline shortcodes
SIEM Query:
source="wordpress" AND (uri_path="*/wp-admin/*" OR uri_path="*/wp-json/*") AND (param="id" OR param="timeline_block") AND status=200