Insecure Direct Object Reference in Beautiful Timeline Builder for WordPress
CVE-2026-1228

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Timeline Block – Beautiful Timeline Builder For WordPress (vertical & Horizontal Timelines)
Vendor: CVE Published:; 6 February 2026

What is CVE-2026-1228?

The Beautiful Timeline Builder plugin for WordPress has a vulnerability that allows authenticated users with Author-level access and higher to exploit the tlgb_shortcode() function. This issue arises from a lack of validation on a key that is user-controlled, potentially enabling these users to access private timeline content by manipulating the id attribute of the 'timeline_block' shortcode. As a result, sensitive information may be disclosed, impacting user privacy.

Affected Version(s)

Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) 0 <= 1.3.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3446078/time...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 6, 2026
Vulnerability Reserved
Jan 20, 2026

Credit

Kazuma Matsumoto

CVE-2026-1228 Data

JSON