The plugin does not sanitize and escape Timeline Text, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Create/edit a Timeline, put the following payload in the βTextβ field at the bottom: Click save (below the Text field, not the button on top of the page), then click Update The XSS will be triggered in post/page where the Timeline is embed