WordPress Plugin Vulnerabilities

Knight Lab Timeline < 3.7.0.0 - Outdated TimelineJS library could Lead to Stored XSS

Description

The plugin used the TimelineJS library < 3.7.0 which is affected by a stored Cross-Site Scripting issues if an attacker has write privileges on the source data used for the timeline which is stored on Google Sheets or in a JSON configuration file.

Affects Plugins

Plugin icon
knight-lab-timelinejs
Fixed in 3.7.0.0

References

CVE
CVE-2020-15092
URL
https://github.com/NUKnightLab/TimelineJS3/security/advisories/GHSA-2jpm-827p-j44g
URL
https://knightlab.northwestern.edu/2020/07/09/timelinejs-update/index.html

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Zander Work
Verified
No
WPVDB ID
cf8689ea-99e9-4382-9d83-84fdedf07df9

Timeline

Publicly Published
2020-07-09 (about 5 years ago)
Added
2020-07-09 (about 5 years ago)
Last Updated
2020-07-10 (about 5 years ago)

Other

Published
Title
Published
2014-08-01
Title
meenews 5.1 - Cross-Site Scripting Vulnerabilities
Published
2024-01-18
Title
Booking for Appointments and Events Calendar – Amelia < 1.0.94 - Contributor+ Stored Cross-Site Scripting via shortcode
Published
2025-01-07
Title
Featured Page Widget <= 2.2 - Reflected Cross-Site Scripting
Published
2021-05-09
Title
UpdraftPlus < 1.6.59 - Admin+ Stored Cross-Site Scripting
Published
2025-08-02
Title
Druco < 1.5.3 - Reflected Cross-Site Scripting