Timeline Calendar <= 1.2 - Authenticated (admin+) SQL Injection
Description
The Timeline Calendar WordPress plugin through 1.2 does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Timeline Calendardescription
- Range: <=1.2
Patches
Vulnerability mechanics
Root cause
"The `edit` GET parameter is used directly in a SQL query without sanitization, validation, or escaping."
Attack vector
An authenticated attacker with Administrator-level access sends a crafted GET request to `/wp-admin/admin.php?page=events` with a malicious `edit` parameter containing a SQL injection payload, such as `-4292 UNION ALL SELECT user(),user(),current_user()-- -`. The unsanitized parameter is interpolated directly into the SQL query, allowing the attacker to extract arbitrary data from the database [ref_id=1].
Affected code
The vulnerability exists in `timeline.php` at line 263, where the `edit` GET parameter is passed directly into a SQL statement without sanitization, validation, or escaping. The vulnerable query is: `$load = $wpdb->get_row("SELECT day, month, event FROM ".TABLE_NAME." WHERE id = $eid");` [ref_id=1].
What the fix does
The advisory does not include a patch diff. The recommended remediation is to properly sanitize, validate, or escape the `edit` GET parameter before using it in a SQL statement, such as by using `$wpdb->prepare()` with a placeholder or casting the value to an integer. The plugin was closed on June 3, 2021, and no fixed version has been released [ref_id=1].
Preconditions
- authAttacker must have Administrator-level access to the WordPress site
- configThe Timeline Calendar plugin version 1.2 (or lower) must be installed and active
- networkAttacker must be able to send HTTP GET requests to the WordPress admin panel
Reproduction
Send a GET request to `/wp-admin/admin.php?page=events&edit=-4292 UNION ALL SELECT user(),user(),current_user()-- -` with a valid administrator session cookie. The response will reflect the results of the injected UNION SELECT query, confirming the SQL injection [ref_id=1].
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- codevigilant.com/disclosure/2021/wp-plugin-timeline-calendar/mitrex_refsource_MISC
- wpscan.com/vulnerability/14c75a00-a52b-430b-92da-5145e5aee30amitrex_refsource_MISC
News mentions
0No linked articles in our index yet.