平台
wordpress
组件
bidorbuystoreintegrator
修复版本
2.12.1
CVE-2025-48100 describes a Remote Code Execution (RCE) vulnerability within the extremeidea bidorbuy Store Integrator plugin for WordPress. This flaw, stemming from improper control of code generation (Code Injection), allows attackers to achieve Remote Code Inclusion. The vulnerability impacts versions from 0.0.0 through 2.12.0, and a patch is available in version 2.12.1.
The impact of this RCE vulnerability is severe. An attacker can exploit this flaw to execute arbitrary code on the affected WordPress server. This could lead to complete system compromise, including data theft, modification, or deletion. The attacker could also install malware, create backdoors for persistent access, or use the compromised server as a launchpad for further attacks against other systems on the network. The ability to achieve Remote Code Inclusion significantly expands the attack surface and potential damage.
CVE-2025-48100 has been publicly disclosed and assigned a CRITICAL CVSS score of 9.1. As of the publication date (2025-08-28), there is no indication of active exploitation campaigns. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the severity and ease of exploitation associated with Remote Code Inclusion vulnerabilities.
WordPress websites utilizing the bidorbuy Store Integrator plugin, particularly those running older versions (0.0.0–2.12.0), are at significant risk. Shared hosting environments are especially vulnerable as they often lack granular control over plugin updates and security configurations. Sites relying on legacy WordPress installations or those with inadequate security practices are also at increased risk.
• wordpress / composer / npm:
grep -r "bidorbuy Store Integrator" /var/www/html/
wp plugin list | grep bidorbuy Store Integrator• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/bidorbuy-store-integrator/• wordpress / composer / npm:
wp plugin update bidorbuy-store-integratordisclosure
漏洞利用状态
EPSS
0.05% (16% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-48100 is to immediately upgrade the bidorbuy Store Integrator plugin to version 2.12.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. Web Application Firewalls (WAFs) configured with rules to detect and block code injection attempts can provide an additional layer of defense. Monitor WordPress access logs for suspicious activity, particularly attempts to include external files. After upgrading, confirm the vulnerability is resolved by attempting a code inclusion attempt (if safe to do so in a test environment) and verifying that it is blocked.
将 bidorbuy Store Integrator 插件更新到可用的最新版本以缓解远程代码执行漏洞。请检查 WordPress.org 上的插件页面以获取最新版本和更新说明。如果插件对您的网站不是必需的,请考虑禁用或删除该插件。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-48100 is a critical Remote Code Execution vulnerability in the bidorbuy Store Integrator WordPress plugin, allowing attackers to execute arbitrary code through Code Injection.
You are affected if your WordPress site uses bidorbuy Store Integrator versions 0.0.0 through 2.12.0. Check your plugin versions immediately.
Upgrade the bidorbuy Store Integrator plugin to version 2.12.1 or later. If immediate upgrade is not possible, temporarily disable the plugin.
As of the publication date, there is no confirmed active exploitation, but the vulnerability's severity suggests exploitation is likely.
Refer to the extremeidea website and WordPress plugin repository for the latest advisory and updates regarding CVE-2025-48100.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。