The Timeline Event History plugin for WordPress, developed by wpdiscover, contains a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-1127. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically involving the 'id' parameter. All plugin versions up to and including 3.2 fail to adequately sanitize and escape user-supplied input before rendering it on web pages. As a result, an attacker can craft a malicious URL containing executable JavaScript code within the 'id' parameter. When an unsuspecting user clicks this URL, the injected script executes in their browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect them to malicious sites. The vulnerability is exploitable remotely without authentication but requires user interaction (clicking a link). The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction needed, and a scope change. The impact affects confidentiality and integrity but not availability. No patches or fixes are currently linked, and no active exploitation has been reported. The vulnerability was publicly disclosed on January 24, 2026, with Wordfence as the assigner.

This vulnerability poses a significant risk to organizations running WordPress sites with the Timeline Event History plugin installed. Successful exploitation can lead to session hijacking, unauthorized actions performed in the context of the victim user, theft of sensitive information, or redirection to malicious websites. This can damage user trust, lead to data breaches, and potentially facilitate further attacks such as privilege escalation or malware distribution. Since the vulnerability requires no authentication, any visitor can be targeted, increasing the attack surface. The need for user interaction (clicking a malicious link) somewhat limits automated exploitation but does not eliminate risk, especially in phishing campaigns. The scope change indicates that the vulnerability affects resources beyond the immediate plugin context, potentially impacting the entire WordPress site. Organizations with high-traffic public-facing WordPress sites, especially those relying on this plugin for event tracking, are at elevated risk. The absence of known exploits in the wild currently reduces immediate threat but should not lead to complacency.

1. Immediate mitigation involves disabling or uninstalling the Timeline Event History plugin until a secure patched version is released. 2. Monitor official wpdiscover channels and WordPress plugin repositories for updates or patches addressing CVE-2026-1127. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the 'id' parameter. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5. Educate users and administrators about the risks of clicking untrusted links, especially those purporting to be related to site events or timelines. 6. Conduct regular security audits and vulnerability scans focusing on installed WordPress plugins. 7. Consider input validation and output encoding improvements at the application level if custom modifications are possible. 8. Review and harden user session management to minimize impact if session tokens are compromised.