CVE-2025-11922 is a stored cross-site scripting (XSS) vulnerability identified in the Inactive Logout plugin for WordPress, developed by j_3rk. The vulnerability exists in all versions up to and including 3.5.5 due to insufficient sanitization and escaping of the 'ina_redirect_page_individual_user' parameter. This parameter is used during web page generation, and improper neutralization of input allows an authenticated attacker with subscriber-level privileges or higher to inject arbitrary JavaScript code into pages. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the victim's session. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common vector for XSS attacks. The CVSS 3.1 base score is 6.4, reflecting medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), and a scope change (S:C) affecting confidentiality and integrity but not availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability's impact is significant because it allows low-privileged authenticated users to compromise other users' sessions and data, undermining trust and security of affected WordPress sites.

For European organizations, this vulnerability poses a risk primarily to websites and web applications running WordPress with the Inactive Logout plugin installed. Exploitation could lead to unauthorized access to user sessions, data theft, and potential defacement or manipulation of website content. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR violations if personal data is compromised), and cause operational disruptions. Since the vulnerability requires only subscriber-level authentication, attackers can leverage compromised or created low-privilege accounts to escalate attacks. The scope of impact includes confidentiality and integrity of user data and website content, but not availability. Organizations relying on WordPress for customer-facing portals, intranets, or content management are particularly at risk. The absence of known exploits suggests a window for proactive mitigation before widespread abuse occurs.

European organizations should immediately audit their WordPress installations to identify the presence of the Inactive Logout plugin and its version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. If disabling is not feasible, restrict subscriber-level account creation and monitor for suspicious activity or unauthorized script injections. Implement web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'ina_redirect_page_individual_user' parameter. Employ Content Security Policy (CSP) headers to mitigate the impact of XSS by restricting script execution sources. Regularly review user accounts and permissions to minimize the number of low-privilege users. Educate site administrators about the risks of XSS and the importance of input validation and output encoding in custom code. Finally, monitor security advisories for updates or patches from the plugin vendor and apply them promptly once available.