Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows Code Injection.This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through <= 2.4.37.
Published: 2025-06-09
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control over code generation in the Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin creates a code injection vulnerability (CWE‑94). An attacker who can influence the plugin’s input can execute arbitrary PHP code on the host, potentially compromising the entire WordPress installation. The plugin allows code injection through its Excel‑like price‑change interface, giving the attacker full control over the site’s server side functionality.

Affected Systems

The vulnerable product is Holest Engineering’s Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light, in all releases from the initial version up to and including 2.4.37. Sites running any of these versions with WordPress, WooCommerce or WP E-commerce are at risk.

Risk and Exploitability

The CVSS score of 10 indicates critical severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker manipulating the plugin’s price‑change spreadsheet upload or input to inject malicious PHP code, which is then executed in the context of the WordPress site. Immediate action is required to prevent potential full system compromise.

Generated by OpenCVE AI on April 30, 2026 at 11:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patched version of the Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin (any release newer than 2.4.37).
  • If an update is not yet available, deactivate or uninstall the plugin until the vendor releases a fix.
  • Conduct an audit of all plugins and WordPress core, ensuring that only necessary plugins are installed and that user accounts with the ability to install or edit plugins have minimal privileges.

Generated by OpenCVE AI on April 30, 2026 at 11:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17525 Improper Control of Generation of Code ('Code Injection') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows Code Injection. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows Code Injection. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37. Improper Control of Generation of Code ('Code Injection') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows Code Injection.This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through <= 2.4.37.
Title WordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Remote Code Execution (RCE) Vulnerability WordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin <= 2.4.37 - Remote Code Execution (RCE) Vulnerability
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00063}

 epss

{'score': 0.00068}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows Code Injection. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37.
Title WordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Remote Code Execution (RCE) Vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:51.875Z

Reserved: 2025-05-15T18:01:28.791Z

Link: CVE-2025-48123

cve-icon Vulnrichment

Updated: 2025-06-10T13:40:40.245Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:42.547

Modified: 2026-04-23T15:30:50.233

Link: CVE-2025-48123

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:45:21Z

Weaknesses