WordPress Security Bulletin: The Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) (CVE-2026-1228)

On this page

Security Alert Summary

A vulnerability in The Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) allows authenticated users with Author-level access and above to disclose private timeline content via the timeline_block shortcode. The issue is caused by missing validation of a user-controlled key in the tlgb_shortcode() function.


CVE Details

  • CVE ID: CVE-2026-1228
  • Affected component: The Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) plugin for WordPress
  • Affected versions: All versions up to, and including, 1.3.3
  • Published: February 6, 2026 at 3:15:48 AM UTC
  • Last modified: February 6, 2026 at 3:14:47 PM UTC
  • CVSS v3.1 base score: 4.3 (MEDIUM)
  • CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • Authentication / privileges / user interaction: Requires an authenticated user with Author-level access or higher. CVSS indicates Privileges Required: LOW and User Interaction: NONE.
  • Primary impact: Confidentiality: LOW; Integrity: NONE; Availability: NONE
  • Weakness (CWE): CWE-639 (Authorization Errors)

Technical Details

The plugin’s tlgb_shortcode() function fails to validate a user-controlled key passed via the id attribute of the timeline_block shortcode. This constitutes an Insecure Direct Object Reference (IDOR) where the application trusts the supplied identifier without verifying that the requesting user is authorized to access the referenced timeline content.

Because the shortcode handler does not perform the necessary authorization checks on the provided identifier, authenticated users with Author-level permissions or higher can supply an id value that references private timelines and retrieve their content. The issue is limited to disclosure of timeline content (confidentiality impact) and does not, based on the provided information, affect integrity or availability.


How This Could Impact Your Website

In a typical small- or medium-sized WordPress site, several roles interact with content: a site owner or administrator, internal staff (editors/contributors), and external contractors or contributors. If an Author-level user or higher supplies a manipulated id to the timeline_block shortcode, they could view timeline entries that were intended to remain private.

Practical consequences include disclosure of internal notes, unpublished events, or contact details that may be embedded in timeline entries. Exposed information can increase the risk of targeted phishing or social engineering against staff or contractors. If timeline content contains personally identifiable information or email addresses, those data could be used for follow-up attacks or unwanted contact.

professional review If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially Contributors and Authors who can publish or manage content.
  • Enforce strong passwords and enable two-factor authentication for Editors and Administrators.
  • Remove unused or unmaintained plugins to reduce your attack surface.
  • Monitor site activity and logs for unusual behavior, such as unexpected shortcode parameters or content access by non-administrative accounts.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References