CVE-2025-11922 is a stored Cross-Site Scripting vulnerability affecting the Inactive Logout plugin for WordPress, maintained by the vendor j_3rk. The flaw exists in all versions up to and including 3.5.5, where the 'ina_redirect_page_individual_user' parameter is not properly sanitized or escaped before being rendered on web pages. This improper neutralization of input (CWE-79) allows an authenticated attacker with subscriber-level privileges or higher to inject arbitrary JavaScript code into pages viewed by other users. Because the vulnerability is stored, the malicious script persists on the server and executes automatically when a victim accesses the infected page, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting that it can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requires privileges (PR:L) but no user interaction (UI:N), and impacts confidentiality and integrity with a scope change (S:C). No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin. The vulnerability is particularly concerning because subscriber-level users are often considered low risk, yet here they can inject persistent scripts affecting other users, including administrators.

For European organizations, this vulnerability could lead to unauthorized access to sensitive information, session hijacking, and potential compromise of administrative accounts if attackers leverage the injected scripts to escalate privileges. Organizations relying on WordPress sites with the Inactive Logout plugin are at risk of data leakage and integrity violations, especially if subscriber accounts are widely used or if user-generated content is common. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised user, increasing the potential damage. This could impact sectors with high regulatory requirements such as finance, healthcare, and government, where data confidentiality and integrity are critical. Additionally, reputational damage and compliance violations under GDPR could result from exploitation. The lack of known exploits currently provides a window for proactive mitigation, but the medium severity score suggests that exploitation is feasible and impactful enough to warrant immediate attention.

European organizations should immediately audit their WordPress installations to identify the presence of the Inactive Logout plugin and its version. Until an official patch is released, organizations should consider disabling or removing the plugin to eliminate the attack vector. Restrict subscriber-level user permissions to the minimum necessary and monitor for unusual activity or script injections in user-generated content. Implement Web Application Firewalls (WAFs) with robust XSS filtering and input validation rules to detect and block malicious payloads targeting the vulnerable parameter. Regularly review and sanitize all user inputs and outputs in WordPress environments. Employ Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Finally, maintain vigilant monitoring and logging to detect any exploitation attempts and prepare for rapid patch deployment once available.