Impact
The vulnerability resides in the EasyTimeline extension of the Wikimedia Foundation timeline component, affecting the files scripts/EasyTimeline.Pl and includes/Timeline.Php. It allows an attacker to inject and execute arbitrary PHP code because user‑controlled input is incorrectly evaluated as code, as identified by CWE-94. An attacker who can supply malicious input via the extension’s interface could compromise the confidentiality, integrity, and availability of the hosting system, potentially gaining full control over the web application.
Affected Systems
Wikimedia Foundation timeline extensions prior to 1.46.0, and the specific releases 1.45.4, 1.44.6, and 1.43.9 are vulnerable. Systems deploying any of these versions with the EasyTimeline component in use remain exposed to exploitation.
Risk and Exploitability
The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation has not been reported. Nevertheless, the CVSS severity is high because the flaw permits Remote Code Execution. The likely attack vector is the delivery of crafted input through the EasyTimeline interface or configuration files, though the precise prerequisites are not detailed in the advisory, so the risk depends on how the vulnerable component is exposed to users.
OpenCVE Enrichment