CVE-2025-48123: 
WordPress vulnerability analysis and mitigation

CVE-2025-48123 is a Code Injection vulnerability discovered in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin, affecting versions up to 2.4.37. The vulnerability was initially reported on April 14, 2025, by researcher ch4r0n and was officially published on May 21, 2025 (Wiz).

The vulnerability is classified as an Improper Control of Generation of Code (CWE-94) issue that allows for Remote Code Execution (RCE). It has received a Critical CVSS v3.1 base score of 10.0, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating the highest possible severity level (NVD, Patchstack).

The vulnerability allows attackers to execute arbitrary commands on the target website, potentially leading to full website compromise. The critical severity rating indicates that successful exploitation could result in complete system compromise, allowing attackers to gain backdoor access and take full control of the affected website (Patchstack).

Currently, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement the virtual patch immediately or consider removing the plugin until a security update is released (Wiz).