CVE-2025-23923: 
WordPress vulnerability analysis and mitigation

The Lockets WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability affecting all versions up to and including 0.999. The vulnerability was discovered on January 16, 2025, and was assigned CVE-2025-23923. This security issue allows unauthenticated attackers to inject malicious web scripts that execute when users interact with the affected pages (Patchstack, WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping in the Lockets plugin. It has been assigned a CVSS v3.1 score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation (Patchstack).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This could lead to various malicious activities including redirects, unauthorized advertisements, and execution of other malicious HTML payloads on the affected website (Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators are advised to implement the virtual patch until an official fix becomes available (Patchstack).

The vulnerability was initially reported by security researcher 0xd4rk5id3 on December 27, 2024. Patchstack issued an early warning to their customers on January 16, 2025, before publishing the vulnerability details on January 18, 2025 (Patchstack).