{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69384", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:11.108Z", "datePublished": "2026-02-20T15:46:54.106Z", "dateUpdated": "2026-04-28T20:57:56.874Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "timeline-event-history", "product": "Timeline Event History", "vendor": "wpdiscover", "versions": [{"lessThanOrEqual": "3.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:12.036Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdiscover Timeline Event History timeline-event-history allows Reflected XSS.<p>This issue affects Timeline Event History: from n/a through <= 3.2.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdiscover Timeline Event History timeline-event-history allows Reflected XSS.This issue affects Timeline Event History: from n/a through <= 3.2."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:39.706Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/timeline-event-history/vulnerability/wordpress-timeline-event-history-plugin-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Timeline Event History plugin <= 3.2 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T21:36:58.760441Z", "id": "CVE-2025-69384", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:57:56.874Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69384", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T21:36:58.760441Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T21:36:59.785Z"}}], "cna": {"title": "WordPress Timeline Event History plugin <= 3.2 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "wpdiscover", "product": "Timeline Event History", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.2"}], "packageName": "timeline-event-history", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:12.036Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/timeline-event-history/vulnerability/wordpress-timeline-event-history-plugin-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdiscover Timeline Event History timeline-event-history allows Reflected XSS.This issue affects Timeline Event History: from n/a through <= 3.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdiscover Timeline Event History timeline-event-history allows Reflected XSS.<p>This issue affects Timeline Event History: from n/a through <= 3.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:39.706Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69384", "state": "PUBLISHED", "dateUpdated": "2026-04-28T20:57:56.874Z", "dateReserved": "2025-12-31T20:13:11.108Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:54.106Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdiscover Timeline Event History timeline-event-history allows Reflected XSS.This issue affects Timeline Event History: from n/a through <= 3.2."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en wpdiscover Timeline Event History timeline-event-history permite XSS Reflejado. Este problema afecta a Timeline Event History: desde n/a hasta &lt;= 3.2."}], "id": "CVE-2025-69384", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:23.523", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/timeline-event-history/vulnerability/wordpress-timeline-event-history-plugin-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Timeline Event History", "source": "cna", "vendor": "wpdiscover"}, "product": "timeline_event_history", "vendor": "wpdiscover"}], "analysis": {"en": {"generated_at": "2026-04-28T17:37:51.645177+00:00", "value": {"mitigation_remediation": ["Update the Timeline Event History plugin to version 3.3 or later to remove the reflected XSS flaw.", "If an update is not yet available, uninstall or disable the plugin until a fix is released.", "As a temporary measure, restrict the plugin\u2019s usage to trusted user roles and avoid rendering untrusted user input in plugin pages.", "If feasible, employ a web application firewall or apply output\u2011escaping headers to mitigate reflected XSS on the affected pages."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting in Timeline Event History plugin"}, "threat_synthesis": {"affected_systems": "All versions of the Timeline Event History plugin from the first release through 3.2 inclusive are affected, as provided by the vendor wpdiscover. Any WordPress installation that has one of these versions installed remains vulnerable unless it has been updated to 3.3 or later.", "description_and_impact": "The WordPress Timeline Event History plugin contains an improper neutralization of input during web page generation, allowing an attacker to inject arbitrary client\u2011side scripts into pages served by the plugin. This reflected cross\u2011site scripting flaw, identified as CWE\u201179, enables the execution of arbitrary client\u2011side scripts when user input is reflected. The vulnerability is triggered by user\u2011controlled data that is not adequately sanitized before being reflected in the generated HTML.", "risk_and_exploitability": "With a CVSS score of 7.1, the flaw is considered high severity. The EPSS score is less than 1%, indicating a low likelihood of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via a crafted web request that includes malicious payloads in query parameters or form fields; browsers rendering the reflected response will execute the embedded script."}}}}, "created": "2026-02-23T14:37:10.522507+00:00", "updated": "2026-04-28T17:45:16.128837+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdiscover", "wpdiscover$PRODUCT$timeline_event_history"]}