CVE-2025-23923
Published: 03 February 2025
Summary
CVE-2025-23923 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23923, published on 2025-02-03, is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79. It affects the Lockets WordPress plugin by wackey, impacting all versions from n/a through <= 0.999.
The vulnerability carries a CVSS v3.1 base score of 7.1 (High), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. Remote attackers with no privileges can exploit it over the network with low complexity by tricking users into interacting with malicious input, such as clicking a crafted link. Exploitation changes scope and enables low-impact effects on confidentiality, integrity, and availability, typically allowing script injection to steal session data or perform actions in the victim's context.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/lockets/vulnerability/wordpress-lockets-plugin-0-999-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents this Reflected XSS issue in Lockets version 0.999. Practitioners should consult the advisory for recommended mitigations, such as applying available patches or updates.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3538
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wackey Lockets lockets allows Reflected XSS.This issue affects Lockets: from n/a through <= 0.999.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting public-facing apps via crafted input) and facilitates T1185 (browser session hijacking via script injection to steal session data).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information output filtering directly neutralizes reflected malicious scripts by encoding or sanitizing user input before rendering in web pages, comprehensively addressing Reflected XSS.
Information input validation rejects or sanitizes malicious payloads in user inputs, preventing the injection of executable scripts that lead to XSS exploitation.
Flaw remediation ensures timely patching of the specific Lockets plugin vulnerability, eliminating the root cause of improper input neutralization.