The plugin does not sanitize and escape Timeline Text, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Create/edit a Timeline, put the following payload in the "Text" field at the bottom: <script>alert(/XSS/)</script>
Click save (below the Text field, not the button on top of the page), then click Update
The XSS will be triggered in post/page where the Timeline is embed