CVE-2025-23923
Published: 03 February 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-23923, published on 2025-02-03, is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79. It affects the Lockets WordPress plugin by wackey, impacting all versions from n/a through <= 0.999.
The vulnerability carries a CVSS v3.1 base score of 7.1 (High), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. Remote attackers with no privileges can exploit it over the network with low complexity by tricking users into interacting with malicious input, such as clicking a crafted link. Exploitation changes scope and enables low-impact effects on confidentiality, integrity, and availability, typically allowing script injection to steal session data or perform actions in the victim's context.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/lockets/vulnerability/wordpress-lockets-plugin-0-999-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents this Reflected XSS issue in Lockets version 0.999. Practitioners should consult the advisory for recommended mitigations, such as applying available patches or updates.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting public-facing apps via crafted input) and facilitates T1185 (browser session hijacking via script injection to steal session data).