CVE-2025-9946: 
WordPress vulnerability analysis and mitigation

The LockerPress – WordPress Security Plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.0. The vulnerability was discovered and disclosed in September 2025, affecting all installations of the plugin. The issue stems from missing or incorrect nonce validation on certain functions (Tenable).

The vulnerability is classified as medium severity with a CVSS score of 6.1. The security flaw exists due to missing or incorrect nonce validation on plugin functions, which allows unauthenticated attackers to update settings and inject malicious web scripts through forged requests. The attack requires social engineering to trick a site administrator into performing specific actions, such as clicking on a malicious link (Tenable).

Successful exploitation of this vulnerability could allow attackers to update plugin settings and inject malicious web scripts into the WordPress site. This could potentially lead to unauthorized changes in security configurations and the execution of malicious JavaScript code in the context of authenticated users' sessions (Tenable).

Site administrators running vulnerable versions of the LockerPress – WordPress Security Plugin should update to a version newer than 1.0 as soon as possible. Until an update can be applied, administrators should be extra cautious when clicking on links while logged into their WordPress dashboard (Tenable).