Platform
wordpress
Component
metalpriceapi
Fixed in
1.1.5
CVE-2025-48140 describes a Remote Code Execution (RCE) vulnerability within the MetalpriceAPI WordPress plugin. This flaw allows attackers to inject and execute arbitrary code on vulnerable systems, leading to complete compromise. The vulnerability impacts versions 0.0.0 through 1.1.4 of the plugin, and a fix is available in version 1.1.5.
The impact of this RCE vulnerability is severe. An attacker could leverage it to execute malicious code directly on the WordPress server hosting the MetalpriceAPI plugin. This could lead to complete system takeover, allowing the attacker to steal sensitive data, modify website content, install malware, or use the server as a launchpad for further attacks. Given the plugin's potential access to financial data (metal prices), the risk of data exfiltration and manipulation is particularly concerning. The ability to execute arbitrary code bypasses standard security controls, making it a high-priority threat.
CVE-2025-48140 was publicly disclosed on 2025-06-09. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (POC) code is anticipated to emerge quickly, increasing the risk of widespread exploitation. Monitor security advisories and threat intelligence feeds for updates on active exploitation campaigns.
Exploit Status
EPSS
0.10% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-48140 is to immediately upgrade the MetalpriceAPI plugin to version 1.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent exploitation. Web Application Firewall (WAF) rules can be implemented to filter potentially malicious code injection attempts targeting the plugin's endpoints. Monitor WordPress logs for suspicious activity, particularly code execution attempts or unusual file modifications. After upgrading, verify the fix by attempting a known code injection payload through the plugin's interface and confirming that it is blocked.
Update the MetalpriceAPI plugin to the latest available version to mitigate the code injection vulnerability. Check for plugin updates in the WordPress repository or on the developer's website. Implement additional security measures, such as input validation and data sanitization, to prevent future vulnerabilities.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48140 is a critical Remote Code Execution vulnerability in the MetalpriceAPI WordPress plugin, allowing attackers to execute arbitrary code.
You are affected if you are using MetalpriceAPI versions 0.0.0 through 1.1.4. Check your plugin versions and upgrade immediately.
Upgrade the MetalpriceAPI plugin to version 1.1.5 or later. Temporarily disable the plugin if upgrading is not immediately possible.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation.
Refer to the MetalpriceAPI project's official website or WordPress plugin repository for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.