CVE-2025-11922
BaseFortify
Publication date: 2025-11-01
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | inactive_logout | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WordPress plugin 'Inactive Logout' affecting versions up to 3.5.5. It occurs due to insufficient input sanitization and output escaping of the 'ina_redirect_page_individual_user' parameter. Authenticated users with subscriber-level access or higher can inject arbitrary web scripts that execute whenever a user accesses the injected page. This allows attackers to run malicious scripts within the context of the affected site. [1]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to inject malicious scripts that execute in the browsers of users who visit the affected pages. This can lead to unauthorized actions such as stealing session cookies, performing actions on behalf of users, or defacing the website. Since the attacker needs at least subscriber-level access, it can be exploited by users with limited privileges to escalate their impact within the site. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Inactive Logout WordPress plugin version is 3.5.5 or earlier, as these versions are vulnerable to stored Cross-Site Scripting via the 'ina_redirect_page_individual_user' parameter. Detection can involve inspecting HTTP requests or POST data for suspicious or malicious scripts injected into this parameter. Additionally, reviewing the plugin settings for role-based redirect URLs that contain unexpected or unsafe scripts may help identify exploitation attempts. Since the vulnerability involves stored XSS, monitoring pages where user role-based redirects are applied for unexpected script execution is also advised. Specific commands are not provided in the resources, but typical detection might include searching the WordPress database options for suspicious content in options like '__ina_multiusers_settings' or '__ina_custom_redirect_text_field'. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the Inactive Logout plugin to version 3.6.0 or later, where the vulnerability is fixed by sanitizing and validating redirect URLs and enforcing strict permission checks. If updating is not immediately possible, restrict access to the plugin settings to only trusted administrators with 'manage_options' capability, and avoid using role-based redirect URLs until patched. Additionally, ensure that nonce verification and capability checks are enforced to prevent unauthorized changes. Monitoring and resetting role-based settings to remove potentially malicious redirect URLs can also help mitigate risk. [1, 3]