Scan free
CRITICALCVE-2025-48100CVSS 9.1

CVE-2025-48100: RCE in bidorbuy Store Integrator

Platform

wordpress

Component

bidorbuystoreintegrator

Fixed in

2.12.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2025-48100 describes a Remote Code Execution (RCE) vulnerability within the extremeidea bidorbuy Store Integrator plugin for WordPress. This flaw, stemming from improper control of code generation (Code Injection), allows attackers to achieve Remote Code Inclusion. The vulnerability impacts versions from 0.0.0 through 2.12.0, and a patch is available in version 2.12.1.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The impact of this RCE vulnerability is severe. An attacker can exploit this flaw to execute arbitrary code on the affected WordPress server. This could lead to complete system compromise, including data theft, modification, or deletion. The attacker could also install malware, create backdoors for persistent access, or use the compromised server as a launchpad for further attacks against other systems on the network. The ability to achieve Remote Code Inclusion significantly expands the attack surface and potential damage.

Exploitation Context

CVE-2025-48100 has been publicly disclosed and assigned a CRITICAL CVSS score of 9.1. As of the publication date (2025-08-28), there is no indication of active exploitation campaigns. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the severity and ease of exploitation associated with Remote Code Inclusion vulnerabilities.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.05% (16% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentbidorbuystoreintegrator
Vendorextremeidea
Affected rangeFixed in
0 – 2.12.02.12.1

Package Information

Active installs
40
Plugin rating
5.0
Requires WordPress
4.8+
Compatible up to
5.6.17
Homepage

Weakness Classification (CWE)

CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-48100 is to immediately upgrade the bidorbuy Store Integrator plugin to version 2.12.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. Web Application Firewalls (WAFs) configured with rules to detect and block code injection attempts can provide an additional layer of defense. Monitor WordPress access logs for suspicious activity, particularly attempts to include external files. After upgrading, confirm the vulnerability is resolved by attempting a code inclusion attempt (if safe to do so in a test environment) and verifying that it is blocked.

How to fix

Update the bidorbuy Store Integrator plugin to the latest available version to mitigate the Remote Code Execution (RCE) vulnerability. Check the plugin page on WordPress.org for the latest version and update instructions. Consider disabling or removing the plugin if it is not essential for your website.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-48100 — RCE in bidorbuy Store Integrator?

CVE-2025-48100 is a critical Remote Code Execution vulnerability in the bidorbuy Store Integrator WordPress plugin, allowing attackers to execute arbitrary code through Code Injection.

Am I affected by CVE-2025-48100 in bidorbuy Store Integrator?

You are affected if your WordPress site uses bidorbuy Store Integrator versions 0.0.0 through 2.12.0. Check your plugin versions immediately.

How do I fix CVE-2025-48100 in bidorbuy Store Integrator?

Upgrade the bidorbuy Store Integrator plugin to version 2.12.1 or later. If immediate upgrade is not possible, temporarily disable the plugin.

Is CVE-2025-48100 being actively exploited?

As of the publication date, there is no confirmed active exploitation, but the vulnerability's severity suggests exploitation is likely.

Where can I find the official bidorbuy Store Integrator advisory for CVE-2025-48100?

Refer to the extremeidea website and WordPress plugin repository for the latest advisory and updates regarding CVE-2025-48100.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs