Does Post Timeline have any unpatched vulnerabilities?

No. All known vulnerabilities in Post Timeline have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Post Timeline compatible with WordPress 6.9.4?

According to WordPress.org data, Post Timeline 2.4.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Post Timeline updated?

Post Timeline was last updated on Mar 10, 2026. Frequent updates are generally a positive security signal.

What is Post Timeline's security score?

Post Timeline has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Post Timeline Security & Risk Analysis

wordpress.org/plugins/post-timeline

Create stunning and interactive timelines for your WordPress posts with ease. Post Timeline is the ultimate plugin for displaying your WordPress conte …

800 active installs v2.4.3 PHP + WP 4.8+ Updated Mar 10, 2026

announcementshistorypost-timelinetimelinevertical-timeline

A · Safe

CVEs total2

Unpatched0

Last CVEDec 29, 2024

Plugin page Download

Safety Verdict

Is Post Timeline Safe to Use in 2026?

Generally Safe

Score 99/100

Post Timeline has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Dec 29, 2024Updated 24d ago

Risk Assessment

The 'post-timeline' plugin version 2.4.3 presents a mixed security posture. While it shows some good practices like the absence of dangerous functions and a lack of external HTTP requests, several significant concerns emerge from the static analysis. A large attack surface is exposed with 10 AJAX handlers, 9 of which lack authentication checks, creating a substantial risk for unauthorized actions. The taint analysis reveals 2 high-severity flows with unsanitized paths, indicating potential for critical vulnerabilities if these flows are exploited.

The plugin's vulnerability history, with 2 known medium-severity CVEs, both related to Cross-Site Scripting, further highlights a recurring issue with input sanitization. Although there are currently no unpatched vulnerabilities, the pattern of past XSS issues in conjunction with the high-severity taint flows suggests a persistent weakness in how user-supplied data is handled. The low percentage of properly escaped outputs (41%) and the high percentage of SQL queries not using prepared statements (64%) reinforce these concerns.

In conclusion, while the plugin is not in a critical state due to the absence of unpatched CVEs and the absence of critical taint flows, the numerous unprotected AJAX handlers, high-severity unsanitized taint flows, and historical XSS vulnerabilities warrant serious attention. The developer needs to prioritize implementing proper authentication and capability checks for all AJAX endpoints and significantly improve input sanitization and output escaping practices to mitigate these risks.

Key Concerns

9 unprotected AJAX handlers
2 high severity taint flows
36% SQL queries not prepared
41% outputs not escaped
3 nonce checks vs 10 AJAX handlers
3 capability checks vs 10 AJAX handlers
2 medium CVEs (XSS history)

Vulnerabilities

Post Timeline Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-24614medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Timeline <= 2.3.9 - Reflected Cross-Site Scripting

Dec 29, 2024 Patched in 2.3.10 (65d)

CVE-2023-4284medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Timeline <= 2.2.5 - Reflected Cross-Site Scripting

Aug 10, 2023 Patched in 2.2.6 (166d)

Code Analysis

Analyzed Mar 16, 2026

Post Timeline Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

342

233 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

36% prepared14 total queries

Output Escaping

41% escaped575 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths

ptl_custom_filter_admin (includes\core.php:175)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

9 unprotected

Post Timeline Attack Surface

Entry Points12

Unprotected9

AJAX Handlers 10

authwp_ajax_ptl_ajax_handlerincludes\admin\ajax-handler.php:26

authwp_ajax_ajax_post_timeline_deactivate_feedbackincludes\plugin.php:186

authwp_ajax_ptl_load_postsincludes\plugin.php:298

noprivwp_ajax_ptl_load_postsincludes\plugin.php:299

authwp_ajax_ptl_popup_galleryincludes\plugin.php:301

noprivwp_ajax_ptl_popup_galleryincludes\plugin.php:302

authwp_ajax_timeline_ajax_load_postsincludes\plugin.php:304

noprivwp_ajax_timeline_ajax_load_postsincludes\plugin.php:305

authwp_ajax_ptl_save_post_likeincludes\plugin.php:308

noprivwp_ajax_ptl_save_post_likeincludes\plugin.php:309

Shortcodes 2

[post-timeline] includes\frontend\app.php:186

[post-timeline-social-icons] includes\frontend\app.php:188

WordPress Hooks 33

filterblock_categories_alladmin\blocks\index.php:23

actionenqueue_block_editor_assetsadmin\blocks\index.php:60

actionadmin_footerincludes\admin\feedback.php:42

actionadmin_menuincludes\admin\manager.php:97

filtermanage_edit-post-timeline_columnsincludes\admin\manager.php:99

actionmanage_post-timeline_posts_custom_columnincludes\admin\manager.php:100

filterget_termsincludes\admin\manager.php:103

filtermanage_edit-ptl_tag_columnsincludes\admin\manager.php:106

filtermanage_ptl_tag_custom_columnincludes\admin\manager.php:109

actionadmin_enqueue_scriptsincludes\admin\manager.php:117

actionmedia_buttonsincludes\admin\manager.php:120

actionadmin_headincludes\admin\manager.php:121

filterregister_post_type_argsincludes\admin\manager.php:122

actiondo_meta_boxesincludes\admin\manager.php:123

filterwp_terms_checklist_argsincludes\admin\manager.php:124

filterposts_orderbyincludes\admin\manager.php:125

actionrestrict_manage_postsincludes\admin\manager.php:128

actionpre_get_postsincludes\admin\manager.php:131

filterget_user_option_edit_ptl_tag_per_pageincludes\admin\manager.php:133

filtertemplate_includeincludes\admin\manager.php:266

filterposts_clausesincludes\layouts\base.php:142

actionplugins_loadedincludes\plugin.php:164

actioninitincludes\plugin.php:180

filterot_header_logo_linkincludes\plugin.php:194

filterot_header_version_textincludes\plugin.php:195

filterot_list_item_title_labelincludes\plugin.php:196

actionadd_meta_boxesincludes\plugin.php:201

actionsave_postincludes\plugin.php:204

actioninitincludes\plugin.php:289

actionwp_headincludes\plugin.php:290

actionwp_enqueue_scriptsincludes\plugin.php:291

actionwp_headincludes\plugin.php:293

actionelementor/widgets/widgets_registeredincludes\vendors\elementor\addon.php:21

Maintenance & Trust

Post Timeline Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 10, 2026

PHP min version

Downloads46K

Community Trust

Rating84/100

Number of ratings21

Active installs800

Alternatives

Post Timeline Alternatives

My Timeline Blog

my-timeline-blog

100

My Timeline Blog is the WordPress Plugin that creates Responsive Timeline blog Page for you, using this plugin users can create own responsive Vertica …

10 No CVEs