プラットフォーム
wordpress
コンポーネント
excel-like-price-change-for-woocommerce-and-wp-e-commerce-light
修正版
2.4.38
CVE-2025-48123 describes a Remote Code Execution (RCE) vulnerability within the Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin. This flaw allows attackers to inject arbitrary code, potentially leading to complete system compromise. The vulnerability impacts versions from 0.0 up to and including 2.4.37. A patch is available in version 2.4.38.
The vulnerability stems from improper control of code generation, enabling code injection. An attacker could craft a malicious payload and inject it into the plugin's processing pipeline. Successful exploitation allows the attacker to execute arbitrary commands on the web server with the privileges of the web application user. This could lead to data theft, modification of website content, installation of malware, or even complete server takeover. Given the plugin's function of manipulating product prices, an attacker could also disrupt business operations by altering pricing data.
This vulnerability was publicly disclosed on 2025-06-09. There are currently no known public exploits, but the CRITICAL severity and RCE nature suggest a high likelihood of exploitation attempts. The plugin's popularity makes it a potentially attractive target. Monitor security advisories and threat intelligence feeds for updates.
Websites utilizing the Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin, particularly those running older, unpatched versions (0.0 – 2.4.37), are at significant risk. Shared hosting environments where multiple websites share the same server resources are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'eval(base64_decode(' /var/www/html/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'Spreadsheet Price Changer'• generic web: Check for unusual PHP process executions in web server access logs, particularly those originating from the plugin's directory.
disclosure
エクスプロイト状況
EPSS
0.10% (26% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to immediately upgrade the Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin to version 2.4.38 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent exploitation. As a secondary measure, implement strict input validation and sanitization on any user-supplied data processed by the plugin. Web application firewalls (WAFs) configured to detect and block code injection attempts can provide an additional layer of defense. Monitor web server logs for suspicious activity, such as unusual command execution attempts.
Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light プラグインをバージョン 2.4.38 以降にアップデートして、リモートコード実行の脆弱性を軽減してください。WordPress リポジトリまたは開発者のウェブサイトで利用可能なアップデートを確認してください。ウェブサイトに必須でない場合は、プラグインを無効化または削除してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-48123 is a critical Remote Code Execution vulnerability affecting versions 0.0–2.4.37 of the Spreadsheet Price Changer for WooCommerce plugin, allowing attackers to execute arbitrary code.
If you are using Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light versions 0.0 through 2.4.37, you are vulnerable to this RCE.
Upgrade the plugin to version 2.4.38 or later to resolve the vulnerability. If immediate upgrade is not possible, disable the plugin.
While no public exploits are currently known, the CRITICAL severity and RCE nature suggest a high probability of exploitation attempts.
Refer to the Holest Engineering website and WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。