CVE-2025-9946 Overview
CVE-2025-9946 affects the LockerPress – WordPress Security Plugin for WordPress in all versions up to and including 1.0. The vulnerability is a Cross-Site Request Forgery (CSRF) flaw caused by missing or incorrect nonce validation on a plugin function. Unauthenticated attackers can update plugin settings and inject malicious web scripts by tricking a site administrator into clicking a crafted link. The issue is tracked under CWE-352 and was published to the National Vulnerability Database on September 30, 2025.
Critical Impact
Attackers can modify security plugin settings and inject stored scripts into administrator-facing pages when a logged-in admin visits an attacker-controlled link.
Affected Products
- LockerPress – WordPress Security Plugin versions up to and including 1.0
- WordPress sites running the vulnerable plugin
- Site administrators with active authenticated sessions
Discovery Timeline
- 2025-09-30 - CVE-2025-9946 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9946
Vulnerability Analysis
The LockerPress plugin exposes settings-handling logic without verifying a WordPress nonce token. WordPress relies on nonces to bind sensitive state-changing requests to an authenticated user session. When a function accepting POST or GET parameters omits check_admin_referer() or wp_verify_nonce(), the server accepts requests that originate from any external origin. An administrator visiting a malicious page while logged in triggers the browser to submit the forged request with valid session cookies. The plugin processes the input and updates configuration values, including fields rendered back into administrative views without sanitization.
Root Cause
The root cause is missing CSRF protection on a settings update handler in the LockerPress plugin. The vulnerable code paths are documented in the plugin source at core.php line 174 and views/login_url.php line 20, referenced in the WordPress Plugin Code Review. Because the function does not validate a token tying the request to the administrator's session, WordPress cannot distinguish attacker-forged submissions from legitimate ones. The absence of output escaping on the stored values enables a secondary script injection impact.
Attack Vector
The attack requires user interaction from a privileged administrator. An attacker hosts a page containing an auto-submitting form or an <img> tag targeting the vulnerable endpoint. When the administrator visits the page while authenticated to the WordPress site, the browser sends the request with session cookies. LockerPress accepts the request, updates the login URL or related settings, and stores attacker-supplied script content. The scope change reflects that injected scripts execute in the administrator's browser context on the WordPress admin interface. Additional analysis is available in the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2025-9946
Indicators of Compromise
- Unexpected changes to LockerPress plugin settings, including modified custom login URLs
- Script tags or JavaScript payloads present in plugin configuration fields visible in the admin UI
- Administrator sessions receiving HTTP referers from external domains preceding settings changes
- New administrator accounts or unexplained option changes in wp_options following admin browsing activity
Detection Strategies
- Inspect web server access logs for POST requests to LockerPress endpoints lacking an internal Referer or Origin header
- Monitor WordPress audit logs for setting updates that occur outside scheduled administrative activity windows
- Alert on responses to /wp-admin/ requests that contain administrator cookies alongside cross-origin referers
Monitoring Recommendations
- Enable WordPress activity logging plugins to record plugin option changes with user attribution
- Track integrity of the plugin configuration tables and diff values on a regular schedule
- Correlate administrator browser telemetry with backend option changes to detect forged submissions
How to Mitigate CVE-2025-9946
Immediate Actions Required
- Deactivate the LockerPress – WordPress Security Plugin until a patched version above 1.0 is confirmed available
- Audit LockerPress settings for injected script content and unauthorized login URL changes
- Force administrator session termination and require re-authentication after cleanup
- Restrict administrator browsing behavior on systems used to manage WordPress
Patch Information
No patched version above 1.0 is referenced in the available CVE data at the time of publication. Review the vendor plugin page and the Wordfence Vulnerability Analysis for updated release information before re-enabling the plugin.
Workarounds
- Remove or deactivate the LockerPress plugin from all WordPress installations
- Deploy a web application firewall rule that requires a valid Referer header matching the site origin for POST requests to plugin endpoints
- Instruct administrators to use a dedicated browser profile for WordPress administration to reduce CSRF exposure
- Apply the principle of least privilege by limiting the number of accounts with administrator capabilities
# Example WAF rule concept: block cross-origin POSTs to LockerPress endpoints
# ModSecurity pseudo-rule
SecRule REQUEST_URI "@contains /wp-admin/admin.php" \
"chain,deny,status:403,id:1009946,msg:'CSRF: cross-origin POST to LockerPress'"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule REQUEST_HEADERS:Referer "!@beginsWith https://your-site.example/"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

