CVE-2025-11805 identifies a stored cross-site scripting vulnerability in the 'Skip to Timestamp' WordPress plugin developed by doytch. This vulnerability exists in all versions up to and including 1.4.4 due to insufficient sanitization and escaping of the 'time' attribute within the 'skipto' shortcode. Specifically, the plugin fails to properly neutralize input before embedding it into web pages, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. When other users access the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed in the context of the victim's session. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., Cross-site Scripting). The CVSS v3.1 base score is 6.4 (medium severity), with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, requiring privileges, no user interaction, scope changed, and limited confidentiality and integrity impacts. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability affects all installations of the plugin up to version 1.4.4, which is commonly used in WordPress sites to enable timestamp skipping in video content or similar media.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity through stored XSS attacks. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of any user visiting the infected pages, including administrators and site editors. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of victims, or distribution of malware. Although the vulnerability does not directly affect availability, the resulting compromise can lead to reputational damage, loss of user trust, and potential regulatory consequences for organizations handling sensitive user data. Since exploitation requires authenticated access, the risk is somewhat mitigated by access controls, but insider threats or compromised contributor accounts increase the risk. Organizations running WordPress sites with this plugin are at risk of targeted attacks, especially those with multiple contributors or less stringent access management policies.

To mitigate this vulnerability, organizations should immediately update the 'Skip to Timestamp' plugin to a version that addresses the input sanitization and output escaping issues once available. If no patch is currently released, administrators should consider temporarily disabling or uninstalling the plugin to eliminate the attack vector. Implement strict access controls and audit contributor accounts to reduce the risk of malicious insiders or compromised credentials. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting the 'skipto' shortcode parameters. Additionally, enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly scan WordPress sites for injected scripts or anomalous content and educate contributors about secure coding and input validation practices. Monitoring logs for unusual contributor activity can also help detect exploitation attempts early.