CVE-2025-48140: 
WordPress vulnerability analysis and mitigation

The CVE-2025-48140 is a Remote Code Execution (RCE) vulnerability affecting the WordPress MetalpriceAPI plugin versions up to 1.1.4. The vulnerability was discovered by researcher ch4r0n and publicly disclosed on May 22, 2025. It is classified as an Improper Control of Generation of Code (Code Injection) vulnerability that allows for code injection in the MetalpriceAPI plugin (Wiz, Patchstack).

The vulnerability has received a Critical CVSS v3.1 score of 9.9 with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The exploitation requires Contributor-level privileges or higher to execute. The vulnerability is tracked as CWE-94 (Improper Control of Generation of Code) (NVD, Patchstack).

If successfully exploited, this vulnerability enables malicious actors to execute commands on the target website, potentially leading to full website compromise. The attacker could gain backdoor access and take complete control of the affected WordPress installation (Wiz, Patchstack).

The vulnerability has been fixed in MetalpriceAPI version 1.1.5. Users are strongly advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).