The Post Timeline plugin for WordPress has a security vulnerability that could allow unauthenticated attackers to inject malicious code into pages on a website. This vulnerability exists in versions of the plugin up to and including version 2.2.5. The issue arises from the plugin not properly sanitizing user input and not properly encoding output, which allows attackers to inject web scripts into a page. If a user can be tricked into taking action, such as clicking a link, the malicious code will be executed.