Description
Missing Authorization vulnerability in NotFound Unlimited Timeline unlimited-timeline allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Unlimited Timeline: from n/a through < 1.6.1.
Published: 2025-04-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken access control that allows unauthorized users to access functionality not properly constrained by access control lists within the Unlimited Timeline plugin. This flaw could let an attacker view or manipulate data that should only be available to privileged users, potentially leading to data disclosure or modification. The weakness corresponds to CWE‑862: Missing Authorization.

Affected Systems

The insecure behavior exists in the WordPress plugin Unlimited Timeline developed by NotFound. All released versions prior to 1.6.1 are impacted. Exact version ranges are not explicitly enumerated beyond the upper bound of 1.6.1, so any version installed that is lower than 1.6.1 should be considered vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS value of less than 1% suggests a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the flaw by sending crafted requests through the web interface, assuming they can identify the relevant endpoints. Although the exploitation window is small, the impact of unauthorized access warrants prompt remediation.

Generated by OpenCVE AI on May 1, 2026 at 10:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Unlimited Timeline plugin to version 1.6.1 or later, which includes the fix for the missing authorization bug.
  • If the upgrade cannot be performed immediately, restrict administrative access to the plugin by limiting the user roles that can invoke its functionality, or implement role‑based controls via a security plugin.
  • Disable or uninstall the Unlimited Timeline plugin if it is not required for site functionality, thereby removing the attack surface.

Generated by OpenCVE AI on May 1, 2026 at 10:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11108 Missing Authorization vulnerability in NotFound Unlimited Timeline allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Unlimited Timeline: from n/a through n/a.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in NotFound Unlimited Timeline allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Unlimited Timeline: from n/a through n/a. Missing Authorization vulnerability in NotFound Unlimited Timeline unlimited-timeline allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Unlimited Timeline: from n/a through < 1.6.1.
References

Tue, 15 Apr 2025 22:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in NotFound Unlimited Timeline allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Unlimited Timeline: from n/a through n/a.
Title WordPress Unlimited Timeline < 1.6.1 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.731Z

Reserved: 2025-02-17T11:52:15.089Z

Link: CVE-2025-27008

cve-icon Vulnrichment

Updated: 2025-04-16T14:59:03.853Z

cve-icon NVD

Status : Deferred

Published: 2025-04-15T22:15:19.443

Modified: 2026-04-29T10:16:43.733

Link: CVE-2025-27008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:15:17Z

Weaknesses