Does Inactive Logout have any unpatched vulnerabilities?

No. All known vulnerabilities in Inactive Logout have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Inactive Logout compatible with WordPress 6.9.4?

According to WordPress.org data, Inactive Logout 3.6.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Inactive Logout compatible with PHP 7.4+?

Inactive Logout requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Inactive Logout updated?

Inactive Logout was last updated on Dec 9, 2025. Frequent updates are generally a positive security signal.

What is Inactive Logout's security score?

Inactive Logout has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Inactive Logout Security & Risk Analysis

wordpress.org/plugins/inactive-logout

Automatically logout idle user sessions, with logout redirections and concurrent limit logins all in one place.

20K active installs v3.6.1 PHP 7.4+ WP 6.6+ Updated Dec 9, 2025

concurrent-login-limitidle-logoutlogoutsecurityuser-redirection

A · Safe

CVEs total3

Unpatched0

Last CVEOct 31, 2025

Plugin page Download

Safety Verdict

Is Inactive Logout Safe to Use in 2026?

Generally Safe

Score 96/100

Inactive Logout has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Oct 31, 2025Updated 3mo ago

Risk Assessment

The 'inactive-logout' plugin v3.6.1 exhibits a mixed security posture. On the positive side, the static analysis reveals a minimal attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events directly exposed without authentication or permission checks. The majority of output (92%) is properly escaped, and there are a reasonable number of nonce and capability checks. However, a significant concern arises from the presence of SQL queries that are not prepared, indicating a potential for SQL injection vulnerabilities if the data processed by these queries is not sufficiently sanitized. The vulnerability history is a major red flag. With three known CVEs, all classified as medium severity and focused on Cross-Site Scripting (XSS), Missing Authorization, and Cross-Site Request Forgery (CSRF), this plugin has a demonstrated track record of security weaknesses. While there are no currently unpatched vulnerabilities, the past patterns suggest a tendency for insecure coding practices that can lead to exploitable flaws. The plugin's strengths lie in its limited attack surface and good output escaping, but these are overshadowed by the historical prevalence of critical vulnerability types and the presence of raw SQL queries.

Key Concerns

SQL queries not using prepared statements
History of 3 medium severity CVEs

Vulnerabilities

Inactive Logout Security Vulnerabilities

CVEs by Year

2 CVEs in 2023

2023

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-11922medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Inactive Logout <= 3.5.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Oct 31, 2025 Patched in 3.6.0 (1d)

CVE-2023-44142medium · 5.3Missing Authorization

Inactive Logout <= 3.2.2 - Missing Authorization

Sep 20, 2023 Patched in 3.2.3 (125d)

WF-d9189eb3-be7f-42e1-92cc-b48af5615eb9-inactive-logoutmedium · 4.3Cross-Site Request Forgery (CSRF)

Inactive Logout <= 3.2.2 - Cross-Site Request Forgery

Sep 20, 2023 Patched in 3.2.3 (125d)

Code Analysis

Analyzed Mar 16, 2026

Inactive Logout Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

46 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

0% prepared1 total queries

Output Escaping

92% escaped50 total outputs

Attack Surface

Inactive Logout Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 24

actionadmin_menucore\Backend\Menu.php:19

actionnetwork_admin_menucore\Backend\Menu.php:20

actionadmin_noticescore\Base.php:30

actionplugins_loadedcore\Base.php:32

actioninitcore\Base.php:33

actionwp_enqueue_scriptscore\Base.php:35

actionadmin_enqueue_scriptscore\Base.php:36

filterplugin_action_linkscore\Base.php:37

filterauth_cookie_expirationcore\Base.php:38

actionadmin_enqueue_scriptscore\Compatibility.php:22

actionadmin_headcore\Compatibility.php:23

actionadmin_footercore\Compatibility.php:24

actionwp_loadedcore\ConcurrentLogin.php:18

actionadmin_initcore\Controllers\AdminController.php:23

actionina_before_settings_wrappercore\Controllers\AdminController.php:24

actionina_after_settings_wrappercore\Controllers\AdminController.php:25

filterlogout_redirectcore\LogoutHandler.php:10

actionwp_logoutcore\LogoutHandler.php:11

actionwp_footercore\Modal.php:14

actionadmin_footercore\Modal.php:15

actionwp_headcore\Modal.php:16

actionlogin_footercore\Modal.php:17

actionlogin_headcore\Modal.php:18

actiontemplate_redirectcore\Modal.php:19

Maintenance & Trust

Inactive Logout Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 9, 2025

PHP min version7.4

Downloads656K

Community Trust

Rating94/100

Number of ratings106

Active installs20K

Alternatives

Inactive Logout Alternatives

Protected Posts Logout Button

protected-posts-logout-button

Automatically adds a logout button to your password protected content.

1K 3 CVEs

Clear Logout

clear-logout

A tiny WordPress plugin to clear all browser data related to the site upon logout (With Clear-Site-Data header).

90 No CVEs

Users Login Monitor

users-login-monitor

100

A freeware plugin, for daily-notify site administrator, about users who logged in during the day.

30 No CVEs

Invalidate Logged Out Cookies

invalidate-logged-out-cookies

This plugin will immediately invalidate your auth cookies when you manually log out.

10 No CVEs

Wordfence Security – Firewall, Malware Scan, and Login Security

wordfence

Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.

5.0M 12 CVEs

Developer Profile

Inactive Logout Developer Profile

Deepen Bajracharya

2 plugins · 40K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

246 days

View full developer profile

Detection Fingerprints

How We Detect Inactive Logout

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/inactive-logout/public/scripts/admin.css/wp-content/plugins/inactive-logout/public/vendor/select2/js/select2.full.min.js/wp-content/plugins/inactive-logout/public/vendor/select2/css/select2.min.css/wp-content/plugins/inactive-logout/public/scripts/admin.js

Script Paths

/wp-content/plugins/inactive-logout/public/scripts/admin.js/wp-content/plugins/inactive-logout/public/vendor/select2/js/select2.full.min.js

Version Parameters

inactive-logout/public/scripts/admin.css?ver=inactive-logout/public/vendor/select2/js/select2.full.min.js?ver=inactive-logout/public/vendor/select2/css/select2.min.css?ver=inactive-logout/public/scripts/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

ina-major-update-warning__separatorina-major-update-warningina-major-update-warning__iconina-major-update-warning__titleina-major-update-warning__message

Data Attributes

data-security-nonce

JS Globals

inactive_logout

FAQ