平台
wordpress
组件
metalpriceapi
修复版本
1.1.5
CVE-2025-48140 describes a Remote Code Execution (RCE) vulnerability within the MetalpriceAPI WordPress plugin. This flaw allows attackers to inject and execute arbitrary code on vulnerable systems, leading to complete compromise. The vulnerability impacts versions 0.0.0 through 1.1.4 of the plugin, and a fix is available in version 1.1.5.
The impact of this RCE vulnerability is severe. An attacker could leverage it to execute malicious code directly on the WordPress server hosting the MetalpriceAPI plugin. This could lead to complete system takeover, allowing the attacker to steal sensitive data, modify website content, install malware, or use the server as a launchpad for further attacks. Given the plugin's potential access to financial data (metal prices), the risk of data exfiltration and manipulation is particularly concerning. The ability to execute arbitrary code bypasses standard security controls, making it a high-priority threat.
CVE-2025-48140 was publicly disclosed on 2025-06-09. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (POC) code is anticipated to emerge quickly, increasing the risk of widespread exploitation. Monitor security advisories and threat intelligence feeds for updates on active exploitation campaigns.
Websites utilizing the MetalpriceAPI plugin, particularly those handling sensitive financial data or operating in environments with limited security controls, are at significant risk. Shared hosting environments are especially vulnerable as a single compromised plugin instance can impact multiple websites.
• wordpress / composer / npm:
grep -r "metalpriceapi" /var/www/html/wp-content/plugins/
wp plugin list | grep metalpriceapi• generic web:
curl -I https://example.com/wp-content/plugins/metalpriceapi/ | grep Serverdisclosure
漏洞利用状态
EPSS
0.10% (26% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-48140 is to immediately upgrade the MetalpriceAPI plugin to version 1.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent exploitation. Web Application Firewall (WAF) rules can be implemented to filter potentially malicious code injection attempts targeting the plugin's endpoints. Monitor WordPress logs for suspicious activity, particularly code execution attempts or unusual file modifications. After upgrading, verify the fix by attempting a known code injection payload through the plugin's interface and confirming that it is blocked.
Actualice el plugin MetalpriceAPI a la última versión disponible para mitigar la vulnerabilidad de inyección de código. Verifique las actualizaciones del plugin en el repositorio de WordPress o en el sitio web del desarrollador. Implemente medidas de seguridad adicionales, como la validación de entradas y la sanitización de datos, para prevenir futuras vulnerabilidades.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-48140 is a critical Remote Code Execution vulnerability in the MetalpriceAPI WordPress plugin, allowing attackers to execute arbitrary code.
You are affected if you are using MetalpriceAPI versions 0.0.0 through 1.1.4. Check your plugin versions and upgrade immediately.
Upgrade the MetalpriceAPI plugin to version 1.1.5 or later. Temporarily disable the plugin if upgrading is not immediately possible.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation.
Refer to the MetalpriceAPI project's official website or WordPress plugin repository for the latest advisory and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。