The vulnerability is an instance of improper neutralization of user‑supplied input during web page generation, classified as CWE‑79. It enables attackers to inject malicious script code that is rendered directly in the browser when a user visits a crafted URL or page generated by the Lockets plugin. The injected code can perform a range of client‑side attacks, including session hijacking, defacement, phishing, and the execution of arbitrary client‑side actions, thereby compromising the confidentiality, integrity, and availability of user sessions and the website’s perceived trustworthiness.

The flaw exists in the WordPress Lockets plugin developed by the vendor Wackey, affecting all installations using version 0.999 or earlier. Any WordPress site that has this plugin installed and accepts user input (or displays content that is not properly sanitized) is potentially vulnerable. The vulnerability is not tied to any specific server or operating‑system platform, as it resides entirely in the plugin’s PHP code and the way it renders content to the browser.

The CVSS score of 7.1 indicates a moderate‑to‑high severity posture, while the EPSS score of less than 1% suggests a very low prior exploitation rate. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires a user to visit a maliciously crafted URL and relies on reflected input, exploitation is contingent on user interaction, but its trivial nature means that attackers can spread links via social media, emails, or other means. The lack of an authentication requirement or elevated privileges limits the scope to the web‑browser context of each victim, but any compromised user can gain access to sensitive session data or deface content. Taken together, the risk is moderate but should be mitigated promptly to avoid exploitation in high‑traffic or high‑value sites.