CVE-2024-5726

Name of the Vulnerable Software and Affected Versions: Timeline Event History plugin for WordPress versions up to, and including, 3.1

Description: The issue allows authenticated attackers with Contributor-level access and above to inject a PHP Object via deserialization of untrusted input timelines-data parameter. This could potentially lead to the deletion of arbitrary files, retrieval of sensitive data, or execution of code if a POP chain is present via an additional plugin or theme installed on the target system.

Recommendations: For Timeline Event History plugin for WordPress versions up to, and including, 3.1, consider disabling the deserialization of the timelines-data parameter until a patch is available. Restrict access to the plugin to minimize the risk of exploitation. Avoid using the timelines-data parameter in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.