Plataforma
wordpress
Componente
metalpriceapi
Corrigido em
1.1.5
CVE-2025-48140 describes a Remote Code Execution (RCE) vulnerability within the MetalpriceAPI WordPress plugin. This flaw allows attackers to inject and execute arbitrary code on vulnerable systems, leading to complete compromise. The vulnerability impacts versions 0.0.0 through 1.1.4 of the plugin, and a fix is available in version 1.1.5.
The impact of this RCE vulnerability is severe. An attacker could leverage it to execute malicious code directly on the WordPress server hosting the MetalpriceAPI plugin. This could lead to complete system takeover, allowing the attacker to steal sensitive data, modify website content, install malware, or use the server as a launchpad for further attacks. Given the plugin's potential access to financial data (metal prices), the risk of data exfiltration and manipulation is particularly concerning. The ability to execute arbitrary code bypasses standard security controls, making it a high-priority threat.
CVE-2025-48140 was publicly disclosed on 2025-06-09. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (POC) code is anticipated to emerge quickly, increasing the risk of widespread exploitation. Monitor security advisories and threat intelligence feeds for updates on active exploitation campaigns.
Websites utilizing the MetalpriceAPI plugin, particularly those handling sensitive financial data or operating in environments with limited security controls, are at significant risk. Shared hosting environments are especially vulnerable as a single compromised plugin instance can impact multiple websites.
• wordpress / composer / npm:
grep -r "metalpriceapi" /var/www/html/wp-content/plugins/
wp plugin list | grep metalpriceapi• generic web:
curl -I https://example.com/wp-content/plugins/metalpriceapi/ | grep Serverdisclosure
Status do Exploit
EPSS
0.10% (percentil 26%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-48140 is to immediately upgrade the MetalpriceAPI plugin to version 1.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent exploitation. Web Application Firewall (WAF) rules can be implemented to filter potentially malicious code injection attempts targeting the plugin's endpoints. Monitor WordPress logs for suspicious activity, particularly code execution attempts or unusual file modifications. After upgrading, verify the fix by attempting a known code injection payload through the plugin's interface and confirming that it is blocked.
Atualize o plugin MetalpriceAPI para a última versão disponível para mitigar a vulnerabilidade de injeção de código. Verifique as atualizações do plugin no repositório do WordPress ou no site do desenvolvedor. Implemente medidas de segurança adicionais, como a validação de entradas e a sanitização de dados, para prevenir futuras vulnerabilidades.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-48140 is a critical Remote Code Execution vulnerability in the MetalpriceAPI WordPress plugin, allowing attackers to execute arbitrary code.
You are affected if you are using MetalpriceAPI versions 0.0.0 through 1.1.4. Check your plugin versions and upgrade immediately.
Upgrade the MetalpriceAPI plugin to version 1.1.5 or later. Temporarily disable the plugin if upgrading is not immediately possible.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation.
Refer to the MetalpriceAPI project's official website or WordPress plugin repository for the latest advisory and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.