CVE-2025-48140 – WordPress MetalpriceAPI <= 1.1.4 - Remote Code Execution (RCE) Vulnerability

https://notcve.org/view.php?id=CVE-2025-48140

22 May 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI allows Code Injection. This issue affects MetalpriceAPI: from n/a through 1.1.4. The MetalpriceAPI plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.1.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. • https://patchstack.com/database/wordpress/plugin/metalpriceapi/vulnerability/wordpress-metalpriceapi-1-1-4-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •