Platform
wordpress
Component
excel-like-price-change-for-woocommerce-and-wp-e-commerce-light
Fixed in
2.4.38
CVE-2025-48123 describes a Remote Code Execution (RCE) vulnerability within the Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin. This flaw allows attackers to inject arbitrary code, potentially leading to complete system compromise. The vulnerability impacts versions from 0.0 up to and including 2.4.37. A patch is available in version 2.4.38.
The vulnerability stems from improper control of code generation, enabling code injection. An attacker could craft a malicious payload and inject it into the plugin's processing pipeline. Successful exploitation allows the attacker to execute arbitrary commands on the web server with the privileges of the web application user. This could lead to data theft, modification of website content, installation of malware, or even complete server takeover. Given the plugin's function of manipulating product prices, an attacker could also disrupt business operations by altering pricing data.
This vulnerability was publicly disclosed on 2025-06-09. There are currently no known public exploits, but the CRITICAL severity and RCE nature suggest a high likelihood of exploitation attempts. The plugin's popularity makes it a potentially attractive target. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.10% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin to version 2.4.38 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent exploitation. As a secondary measure, implement strict input validation and sanitization on any user-supplied data processed by the plugin. Web application firewalls (WAFs) configured to detect and block code injection attempts can provide an additional layer of defense. Monitor web server logs for suspicious activity, such as unusual command execution attempts.
Update the Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin to version 2.4.38 or higher to mitigate the remote code execution vulnerability. Check for available updates in the WordPress repository or on the developer's website. Disable or delete the plugin if it is not essential for your website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48123 is a critical Remote Code Execution vulnerability affecting versions 0.0–2.4.37 of the Spreadsheet Price Changer for WooCommerce plugin, allowing attackers to execute arbitrary code.
If you are using Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light versions 0.0 through 2.4.37, you are vulnerable to this RCE.
Upgrade the plugin to version 2.4.38 or later to resolve the vulnerability. If immediate upgrade is not possible, disable the plugin.
While no public exploits are currently known, the CRITICAL severity and RCE nature suggest a high probability of exploitation attempts.
Refer to the Holest Engineering website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.