Vulnerabilities and security researches forinactive-logout inactive-logout

Jun 07, 2024

CVE, Research URL: 46dbd77684eef58bd540295eb5726e7431e5561a
Home page URL: Security reports for Inactive Logout
Application: Inactive Logout
Date: Sep 20, 2023
Research Description: Inactive Logout [inactive-logout] < 3.2.3 Inactive Logout <= 3.2.2 - Missing Authorization The Inactive Logout plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ina_reset_adv_settings() function in versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to reset the plugin's settings.
Affected versions: max 3.2.3.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2023-44142
Home page URL: Security reports for Inactive Logout
Application: Inactive Logout
Date: Dec 13, 2024
Research Description: Missing Authorization vulnerability in Inactive Logout Inactive Logout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Inactive Logout: from n/a through 3.2.2.
Affected versions: max 3.2.3.
Status: vulnerable

Nov 10, 2025

CVE, Research URL: CVE-2025-11922
Home page URL: Security reports for Inactive Logout
Application: Inactive Logout
Date: Nov 01, 2025
Research Description: The Inactive Logout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ina_redirect_page_individual_user' parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.6.0.
Status: vulnerable