The vulnerability is an improper neutralization of input during web page generation that allows stored cross‑site scripting within the WordPress Timeline Event History plugin. An attacker can inject malicious JavaScript that will execute in the browsers of any user who views the vulnerable event. It is inferred that such execution could lead to actions such as cookie theft, session hijacking, or defacement, based on typical stored XSS scenarios. The flaw stems from unsanitised input being stored in the event record and later rendered without encoding.

Affects the wpdiscover Timeline Event History plugin for WordPress, specifically all releases from the earliest available version through 3.2 inclusive. Users running any version of this plugin vulnerable to the flaw should verify the version and upgrade if possible.

The CVSS score of 6.5 classifies the issue as medium severity, while the EPSS score indicates a very low probability of exploitation (less than 1%). The flaw is not listed in CISA’s KEV catalog. The attack vector is likely an authenticated user with permission to create or edit events, based on the requirement that malicious input be stored in the plugin database. Once an event is injected, any visitor to that event page will be affected. Overall, the risk is moderate. It is inferred that if an attacker exploited the XSS, the impact to compromised users could be significant, such as theft of session cookies or spread of malware.