The History timeline plugin contains an Improper Neutralization of Input During Web Page Generation flaw that results in reflected Cross‑Site Scripting. When an attacker supplies malicious input via a URL parameter, the plugin outputs it without adequate sanitisation, allowing arbitrary script execution in the victim’s browser. This can lead to session hijacking, data theft, or malicious content injection, affecting confidentiality, integrity, and availability of the WordPress site.

WordPress sites that have the History timeline plugin by fireantology with version 0.7.2 or earlier installed. No later versions are known to be affected.

The CVSS v3 score of 7.1 indicates a high impact attack vector that depends on the attacker’s ability to entice a user to visit a crafted URL. The EPSS score of less than 1% suggests current exploitation activity is rare, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because any user visiting the vulnerable URL can be targeted, the overall risk remains significant for exposed sites. Exploitation requires only sending a malicious payload in a URL; no authentication or privileged access is necessary. The attack is therefore Remote, Client-Side, with high exploitation potential if an attacker can craft and distribute the malicious link.