Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) Security & Risk Analysis

The "timeline-block-block" plugin v1.3.7 presents a mixed security posture. On the positive side, the static analysis reveals good coding practices with 100% of SQL queries using prepared statements and all output being properly escaped. There are no identified file operations or external HTTP requests, and the attack surface is minimal with only one shortcode and no unprotected entry points. However, the complete absence of nonce checks and capability checks across all entry points is a significant concern, as it suggests a lack of robust authorization and session validation, which could be exploited if vulnerabilities were present.

The vulnerability history is more concerning, with two previously discovered medium-severity vulnerabilities: "Authorization Bypass Through User-Controlled Key" and "Cross-site Scripting." While there are currently no unpatched vulnerabilities, the types of past issues indicate potential weaknesses in how user input is handled and access is managed. The fact that the last vulnerability was in 2026, despite being an unpatched CVE, is unusual and may indicate a data anomaly or a placeholder. The plugin's reliance on Freemius for bundled libraries also warrants attention, as outdated bundled libraries can introduce security risks if not regularly updated.

Overall, while the code quality in terms of SQL and output handling is commendable, the lack of essential security checks and the history of past vulnerabilities, particularly those related to authorization and XSS, indicate areas that require diligent monitoring and potential remediation. The plugin currently appears to be free of active exploits based on the provided data, but the underlying architectural weaknesses and historical patterns suggest a moderate risk level.