Description
Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI metalpriceapi allows Code Injection.This issue affects MetalpriceAPI: from n/a through <= 1.1.4.
Published: 2025-06-09
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MetalpriceAPI WordPress plugin contains an improper control of code generation flaw that permits attackers to inject arbitrary PHP code. An attacker can trigger this through specially crafted input to the plugin’s endpoints, yielding remote code execution on the hosting server. This vulnerability aligns with CWE‑94 and threatens confidentiality, integrity, and availability of the affected system.

Affected Systems

The vulnerability affects the MetalpriceAPI plugin for WordPress, versions up through and including 1.1.4. Sites running the old plugin (any version 1.1.4 or earlier) are susceptible.

Risk and Exploitability

The CVSS score is 9.9, indicating critical severity. The EPSS score is less than 1%, suggesting low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would most likely exploit it remotely by sending malicious requests to the plugin’s HTTP API or web forms; this inference is based on typical WordPress plugin behavior. The vulnerability requires web access to the site’s plugin code path, which is generally available to anyone with access to the WordPress installation, making it a high‑risk exposure if the plugin remains unpatched.

Generated by OpenCVE AI on April 30, 2026 at 11:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MetalpriceAPI plugin to the latest available version, which removes the code injection issue.
  • If an upgrade is not feasible, disable or delete the plugin from the WordPress installation until a patched version is released.
  • Restrict access to the plugin’s administrative endpoints by implementing role‑based access controls or firewall rules that block suspicious requests.
  • Monitor web application logs for anomalous code patterns or unexpected POST data that may indicate attempts to exploit the plugin.

Generated by OpenCVE AI on April 30, 2026 at 11:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17532 Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI allows Code Injection. This issue affects MetalpriceAPI: from n/a through 1.1.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI allows Code Injection. This issue affects MetalpriceAPI: from n/a through 1.1.4. Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI metalpriceapi allows Code Injection.This issue affects MetalpriceAPI: from n/a through <= 1.1.4.
Title WordPress MetalpriceAPI <= 1.1.4 - Remote Code Execution (RCE) Vulnerability WordPress MetalpriceAPI plugin <= 1.1.4 - Remote Code Execution (RCE) Vulnerability
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00053}

 epss

{'score': 0.00061}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI allows Code Injection. This issue affects MetalpriceAPI: from n/a through 1.1.4.
Title WordPress MetalpriceAPI <= 1.1.4 - Remote Code Execution (RCE) Vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Metalpriceapi Metalpriceapi
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:52.318Z

Reserved: 2025-05-15T18:01:40.432Z

Link: CVE-2025-48140

cve-icon Vulnrichment

Updated: 2025-06-10T13:43:26.220Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:43.573

Modified: 2026-04-23T15:30:52.317

Link: CVE-2025-48140

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:45:21Z

Weaknesses