CVE-2025-11922 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Inactive Logout plugin for WordPress, developed by j_3rk. The vulnerability exists due to improper neutralization of input during web page generation, specifically involving the 'ina_redirect_page_individual_user' parameter. This parameter is insufficiently sanitized and escaped, allowing authenticated users with subscriber-level or higher privileges to inject arbitrary JavaScript code into pages. Because the injected scripts are stored, they execute every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 3.5.5 of the plugin. The CVSS 3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No known exploits have been reported in the wild yet. The vulnerability was reserved on October 17, 2025, and published on November 1, 2025. The plugin is widely used in WordPress environments to manage user inactivity logout behavior, making this vulnerability relevant to many websites globally. The root cause is the lack of proper input validation and output encoding in the plugin's handling of user-supplied parameters, a common issue leading to stored XSS in web applications.

The impact of CVE-2025-11922 can be significant for organizations running WordPress sites with the Inactive Logout plugin installed. Successful exploitation allows authenticated users with minimal privileges (subscriber-level) to inject malicious scripts that execute in the context of other users visiting the affected pages. This can lead to session hijacking, theft of sensitive information such as cookies or tokens, unauthorized actions performed on behalf of users, and potential lateral movement within the site. While the vulnerability does not directly affect availability, the compromise of user accounts and data integrity can damage organizational reputation, lead to data breaches, and facilitate further attacks such as privilege escalation or malware deployment. Since the vulnerability requires authentication but no user interaction, it lowers the barrier for attackers who have gained subscriber access, which is common in many WordPress setups. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, increasing risk. Organizations with large user bases or sensitive data hosted on WordPress sites are particularly at risk, as are those with less stringent user role management and monitoring.

To mitigate CVE-2025-11922, organizations should take the following specific actions: 1) Immediately update the Inactive Logout plugin to a patched version once released by the vendor. If no patch is available, consider temporarily disabling the plugin to prevent exploitation. 2) Implement strict input validation and output encoding for all user-supplied parameters, especially 'ina_redirect_page_individual_user', to neutralize potentially malicious scripts. 3) Restrict user privileges by minimizing subscriber-level access and auditing user roles regularly to ensure only trusted users have authenticated access. 4) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this parameter. 5) Monitor logs and user activity for unusual behavior indicative of XSS exploitation attempts. 6) Educate site administrators and developers on secure coding practices to prevent similar vulnerabilities. 7) Use Content Security Policy (CSP) headers to limit script execution sources, reducing the impact of injected scripts. 8) Conduct regular security assessments and penetration testing focusing on plugin vulnerabilities. These measures collectively reduce the risk of exploitation and limit potential damage.