Plateforme
wordpress
Composant
metalpriceapi
Corrigé dans
1.1.5
CVE-2025-48140 describes a Remote Code Execution (RCE) vulnerability within the MetalpriceAPI WordPress plugin. This flaw allows attackers to inject and execute arbitrary code on vulnerable systems, leading to complete compromise. The vulnerability impacts versions 0.0.0 through 1.1.4 of the plugin, and a fix is available in version 1.1.5.
The impact of this RCE vulnerability is severe. An attacker could leverage it to execute malicious code directly on the WordPress server hosting the MetalpriceAPI plugin. This could lead to complete system takeover, allowing the attacker to steal sensitive data, modify website content, install malware, or use the server as a launchpad for further attacks. Given the plugin's potential access to financial data (metal prices), the risk of data exfiltration and manipulation is particularly concerning. The ability to execute arbitrary code bypasses standard security controls, making it a high-priority threat.
CVE-2025-48140 was publicly disclosed on 2025-06-09. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (POC) code is anticipated to emerge quickly, increasing the risk of widespread exploitation. Monitor security advisories and threat intelligence feeds for updates on active exploitation campaigns.
Websites utilizing the MetalpriceAPI plugin, particularly those handling sensitive financial data or operating in environments with limited security controls, are at significant risk. Shared hosting environments are especially vulnerable as a single compromised plugin instance can impact multiple websites.
• wordpress / composer / npm:
grep -r "metalpriceapi" /var/www/html/wp-content/plugins/
wp plugin list | grep metalpriceapi• generic web:
curl -I https://example.com/wp-content/plugins/metalpriceapi/ | grep Serverdisclosure
Statut de l'Exploit
EPSS
0.10% (percentile 26%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-48140 is to immediately upgrade the MetalpriceAPI plugin to version 1.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent exploitation. Web Application Firewall (WAF) rules can be implemented to filter potentially malicious code injection attempts targeting the plugin's endpoints. Monitor WordPress logs for suspicious activity, particularly code execution attempts or unusual file modifications. After upgrading, verify the fix by attempting a known code injection payload through the plugin's interface and confirming that it is blocked.
Mettez à jour le plugin MetalpriceAPI vers la dernière version disponible pour atténuer la vulnérabilité d'injection de code. Vérifiez les mises à jour du plugin dans le dépôt WordPress ou sur le site web du développeur. Implémentez des mesures de sécurité supplémentaires, telles que la validation des entrées et la sanitisation des données, pour prévenir de futures vulnérabilités.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-48140 is a critical Remote Code Execution vulnerability in the MetalpriceAPI WordPress plugin, allowing attackers to execute arbitrary code.
You are affected if you are using MetalpriceAPI versions 0.0.0 through 1.1.4. Check your plugin versions and upgrade immediately.
Upgrade the MetalpriceAPI plugin to version 1.1.5 or later. Temporarily disable the plugin if upgrading is not immediately possible.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation.
Refer to the MetalpriceAPI project's official website or WordPress plugin repository for the latest advisory and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.