Cross-Site Request Forgery in LockerPress WordPress Security Plugin
CVE-2025-9946

6.1MEDIUM

Key Information:

Vendor

WordPress
Status
Lockerpress – WordPress Security Plugin
Vendor
CVE Published:
30 September 2025

What is CVE-2025-9946?

The LockerPress – WordPress Security Plugin is susceptible to Cross-Site Request Forgery vulnerabilities in all versions prior to 1.0. This flaw stems from inadequate nonce validation, enabling unauthenticated attackers to potentially alter plugin settings and execute malicious scripts by tricking a site administrator into clicking a deceptive link. Effective nonce validation is crucial to preventing unauthorized actions and protecting site integrity.

Affected Version(s)

LockerPress – WordPress Security Plugin * <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/lockerpress-wo...
https://plugins.trac.wordpress.org/browser/lockerpress-wo...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nabil Irawan
JSON
.
CVE-2025-9946 : Cross-Site Request Forgery in LockerPress WordPress Security Plugin