Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PluginsPoint Timeline Pro timeline-pro allows DOM-Based XSS.This issue affects Timeline Pro: from n/a through <= 1.3.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation enables DOM‑Based XSS in the PluginsPoint Timeline Pro plugin. An attacker can inject malicious scripts that execute in the browsers of users who view the affected page, potentially stealing session cookies, defacing content, or redirecting to phishing sites. The flaw directly violates the input validation principle and can occur whenever untrusted data is reflected into the DOM without encoding, leading to confidentiality and integrity risks for site visitors.

Affected Systems

The vulnerability affects the Timeline Pro WordPress plugin provided by PluginsPoint, versions from the earliest release up to and including 1.3. Users who have installed any of these versions are exposed unless mitigated or upgraded.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of < 1% shows low likelihood of widespread exploitation at present, and the issue is not listed in CISA’s KEV catalog. Inferred, the typical attack path involves an attacker creating or modifying a timeline entry that contains malicious script or redirect URLs, which a victim’s browser then processes. Successful exploitation requires the victim to load a page that contains the forged input, so social engineering or a compromised content editor may facilitate the exploit.

Generated by OpenCVE AI on May 1, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Timeline Pro to a version newer than 1.3 once released by PluginsPoint.
  • Ensure that any data entered into the plugin is properly sanitized or escaped before being output to the DOM, following best practices for preventing XSS.
  • If an update is not immediately available, consider disabling or removing the Timeline Pro plugin from the site to eliminate the vulnerable code paths.
  • Implement a web application firewall or content security policy that blocks or reports attempts to inject script content into page output.

Generated by OpenCVE AI on May 1, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2859 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pluginspoint Timeline Pro allows DOM-Based XSS.This issue affects Timeline Pro: from n/a through 1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pluginspoint Timeline Pro allows DOM-Based XSS.This issue affects Timeline Pro: from n/a through 1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PluginsPoint Timeline Pro timeline-pro allows DOM-Based XSS.This issue affects Timeline Pro: from n/a through <= 1.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pluginspoint Timeline Pro allows DOM-Based XSS.This issue affects Timeline Pro: from n/a through 1.3.
Title WordPress Timeline Pro plugin <= 1.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:01.974Z

Reserved: 2025-01-07T10:23:42.744Z

Link: CVE-2025-22584

cve-icon Vulnrichment

Updated: 2025-01-07T17:33:47.209Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:54.780

Modified: 2026-06-17T08:48:28.150

Link: CVE-2025-22584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')