Platform
wordpress
Component
bidorbuystoreintegrator
Fixed in
2.12.1
CVE-2025-48100 describes a Remote Code Execution (RCE) vulnerability within the extremeidea bidorbuy Store Integrator plugin for WordPress. This flaw, stemming from improper control of code generation (Code Injection), allows attackers to achieve Remote Code Inclusion. The vulnerability impacts versions from 0.0.0 through 2.12.0, and a patch is available in version 2.12.1.
The impact of this RCE vulnerability is severe. An attacker can exploit this flaw to execute arbitrary code on the affected WordPress server. This could lead to complete system compromise, including data theft, modification, or deletion. The attacker could also install malware, create backdoors for persistent access, or use the compromised server as a launchpad for further attacks against other systems on the network. The ability to achieve Remote Code Inclusion significantly expands the attack surface and potential damage.
CVE-2025-48100 has been publicly disclosed and assigned a CRITICAL CVSS score of 9.1. As of the publication date (2025-08-28), there is no indication of active exploitation campaigns. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the severity and ease of exploitation associated with Remote Code Inclusion vulnerabilities.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-48100 is to immediately upgrade the bidorbuy Store Integrator plugin to version 2.12.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. Web Application Firewalls (WAFs) configured with rules to detect and block code injection attempts can provide an additional layer of defense. Monitor WordPress access logs for suspicious activity, particularly attempts to include external files. After upgrading, confirm the vulnerability is resolved by attempting a code inclusion attempt (if safe to do so in a test environment) and verifying that it is blocked.
Update the bidorbuy Store Integrator plugin to the latest available version to mitigate the Remote Code Execution (RCE) vulnerability. Check the plugin page on WordPress.org for the latest version and update instructions. Consider disabling or removing the plugin if it is not essential for your website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48100 is a critical Remote Code Execution vulnerability in the bidorbuy Store Integrator WordPress plugin, allowing attackers to execute arbitrary code through Code Injection.
You are affected if your WordPress site uses bidorbuy Store Integrator versions 0.0.0 through 2.12.0. Check your plugin versions immediately.
Upgrade the bidorbuy Store Integrator plugin to version 2.12.1 or later. If immediate upgrade is not possible, temporarily disable the plugin.
As of the publication date, there is no confirmed active exploitation, but the vulnerability's severity suggests exploitation is likely.
Refer to the extremeidea website and WordPress plugin repository for the latest advisory and updates regarding CVE-2025-48100.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.