{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9946", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-03T13:16:09.226Z", "datePublished": "2025-09-30T03:35:33.403Z", "dateUpdated": "2026-04-08T17:30:52.452Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:52.452Z"}, "affected": [{"vendor": "lockerpress", "product": "LockerPress \u2013 WordPress Security Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LockerPress \u2013 WordPress Security Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "LockerPress \u2013 WordPress Security Plugin <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9cf6b7f-d2b0-47f9-beec-8773f260c088?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lockerpress-wordpress-security/trunk/core.php#L174"}, {"url": "https://plugins.trac.wordpress.org/browser/lockerpress-wordpress-security/trunk/views/login_url.php#L20"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-09-29T15:32:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-30T13:15:22.564881Z", "id": "CVE-2025-9946", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T13:15:29.780Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9946", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-30T13:15:22.564881Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T13:15:26.270Z"}}], "cna": {"title": "LockerPress \u2013 WordPress Security Plugin <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "lockerpress", "product": "LockerPress \u2013 WordPress Security Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-29T15:32:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9cf6b7f-d2b0-47f9-beec-8773f260c088?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lockerpress-wordpress-security/trunk/core.php#L174"}, {"url": "https://plugins.trac.wordpress.org/browser/lockerpress-wordpress-security/trunk/views/login_url.php#L20"}], "descriptions": [{"lang": "en", "value": "The LockerPress \u2013 WordPress Security Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:52.452Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9946", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:30:52.452Z", "dateReserved": "2025-09-03T13:16:09.226Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-30T03:35:33.403Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LockerPress \u2013 WordPress Security Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin LockerPress \u2013 WordPress Security para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.0, inclusive. Esto se debe a una validaci\u00f3n nonce faltante o incorrecta en una funci\u00f3n. Esto hace posible que atacantes no autenticados actualicen la configuraci\u00f3n e inyecten scripts web maliciosos a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-9946", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-30T11:37:47.380", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lockerpress-wordpress-security/trunk/core.php#L174"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lockerpress-wordpress-security/trunk/views/login_url.php#L20"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9cf6b7f-d2b0-47f9-beec-8773f260c088?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:44:39.590013+00:00", "value": {"mitigation_remediation": ["Upgrade LockerPress to a version newer than 1.0 if available; if no newer release exists, remove the plugin entirely.", "Enforce proper nonce validation on all state\u2011changing operations in the plugin\u2019s codebase.", "Deploy a web application firewall rule to detect and block requests lacking a valid nonce or targeting the plugin\u2019s settings endpoint."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "Any WordPress installation using LockerPress \u2013 WordPress Security Plugin version 1.0 or earlier is impacted. The vendor identified the entire product line up to that release as vulnerable.", "description_and_impact": "The LockerPress \u2013 WordPress Security Plugin Up to 1.0 is missing or incorrectly validating a nonce on a function, allowing an unauthenticated attacker to send a forged request that updates plugin settings. This can inject malicious scripts into the site, resulting in stored cross\u2011site scripting that is executed when any user views the affected page. The weakness corresponds to CWE\u2011352, a Cross\u2011Site Request Forgery flaw that facilitates the exploit.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.1, indicating moderate severity. The EPSS score is less than 1%, implying low current exploitation probability. It is not listed in the CISA KEV catalog. The attack requires the victim to click a crafted link or form; thus it is a classic CSRF scenario, potentially exploitable by any attacker who can lure an administrator into taking a privileged action."}}}}, "created": "2025-09-30T08:47:30.203324+00:00", "updated": "2026-04-20T21:45:18.978776+00:00", "vendors": ["lockerpress", "lockerpress$PRODUCT$wordpress_security_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}