CVE-2025-11922 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2025-11922?

CVE-2025-11922 has a CVSS score of 6.4 (MEDIUM). This vulnerability allows authenticated WordPress users with subscriber-level access or higher to inject malicious scripts into pages via the 'ina_redirect_page_individual_user' parameter. The scripts execute when other users view the compromised pages, enabling session hijacking, credential theft, or site defacement. All WordPress sites using the Inactive Logout plugin up to version 3.5.5 are affected.

📋 TL;DR

This vulnerability allows authenticated WordPress users with subscriber-level access or higher to inject malicious scripts into pages via the 'ina_redirect_page_individual_user' parameter. The scripts execute when other users view the compromised pages, enabling session hijacking, credential theft, or site defacement. All WordPress sites using the Inactive Logout plugin up to version 3.5.5 are affected.

💻 Affected Systems

Products:

WordPress Inactive Logout plugin

Versions: All versions up to and including 3.5.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. Attackers need at least subscriber-level authenticated access.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over the WordPress site, install backdoors, or redirect users to malicious sites, potentially leading to complete site compromise and data breaches.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies, redirect users to phishing pages, or deface the website with malicious content.

🟢

If Mitigated

With proper input validation and output escaping, the vulnerability is eliminated, preventing script injection entirely.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward due to the lack of input sanitization. The vulnerability is publicly documented with code references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.6 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3385001%40inactive-logout%2Ftrunk&old=3362978%40inactive-logout%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Inactive Logout' and click 'Update Now' if available. 4. Alternatively, download version 3.5.6+ from WordPress.org and replace the plugin files manually via FTP/SFTP.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Inactive Logout plugin to eliminate the vulnerability until patching is possible.

wp plugin deactivate inactive-logout

Restrict user registration

all

Disable new user registrations or require administrator approval to limit potential attackers with subscriber access.

wp option update users_can_register 0

🧯 If You Can't Patch

Remove the Inactive Logout plugin entirely and use alternative session management solutions.
Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.

🔍 How to Verify

Check if Vulnerable:

Check the plugin version in WordPress admin under Plugins > Installed Plugins. If version is 3.5.5 or lower, the site is vulnerable.

Check Version:

wp plugin get inactive-logout --field=version

Verify Fix Applied:

Confirm the plugin version is 3.5.6 or higher after updating. Test the 'ina_redirect_page_individual_user' parameter with basic script payloads to ensure they are sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wp-admin/admin-ajax.php with 'ina_redirect_page_individual_user' parameter containing script tags or JavaScript code.
Multiple failed login attempts followed by successful subscriber-level access.

Network Indicators:

Unexpected outbound connections from the WordPress server to unknown domains after page views.

SIEM Query:

source="wordpress.log" AND ("ina_redirect_page_individual_user" AND ("<script>" OR "javascript:"))

📊 Metadata

CVE ID: CVE-2025-11922

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (14.9th percentile)

Published: November 1, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11922, you might also want to check these: