CVE-2025-11805: 
WordPress vulnerability analysis and mitigation

The Skip to Timestamp plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-11805) in all versions up to and including 1.4.4. The vulnerability was disclosed on November 10, 2025, affecting the plugin's 'skipto' shortcode functionality (NVD, AttackerKB).

The vulnerability stems from insufficient input sanitization and output escaping specifically in the 'time' attribute of the 'skipto' shortcode. The issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating a network-exploitable vulnerability with low attack complexity requiring low privileges (NVD).

When successfully exploited, the vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (AttackerKB).

The plugin has been temporarily closed as of November 7, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress).