CVE-2025-48129 — AI Deep Analysis Summary

🚨 **Essence**: Critical Privilege Escalation in WordPress Plugin. 💥 **Consequences**: Attackers can gain full Admin control without credentials. CVSS 9.8 (Critical). Total site compromise possible.

🛡️ **Root Cause**: CWE-266 (Incorrect Privilege Assignment). ⚠️ **Flaw**: The plugin fails to properly check user permissions before allowing administrative actions. Logic flaw in access control.

📦 **Affected**: Plugin: *Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light*. 📉 **Versions**: v2.4.37 and earlier. 🏢 **Vendor**: Holest Engineering.

🔓 **Hackers Can**: Create Administrator accounts from scratch. 👑 **Privileges**: Full Admin access (C:H/I:H/A:H). 📊 **Data**: Read/Write/Execute arbitrary code on the server. No prior access needed.

📉 **Threshold**: LOW. 🔑 **Auth**: Unauthenticated (PR:N). 🌐 **Network**: Remote (AV:N). ⚡ **Complexity**: Low (AC:L). No user interaction required (UI:N). Easy to exploit.

🔥 **Public Exploit**: YES. 📂 **PoC**: Available on GitHub (Nxploited/CVE-2025-48129). 🌍 **Wild Exploitation**: High risk due to simplicity and lack of auth requirement.

🔍 **Self-Check**: Scan for installed plugin version. 📋 **Feature**: Check if *Spreadsheet Price Changer* is active. 🛠️ **Tool**: Use WPScan or manual version check in WordPress dashboard > Plugins. 🚩 **Flag**: Version <=…

❌ **Official Fix**: NO. 📝 **Status**: No patched version released yet. ⏳ **Vendor Action**: None reported as of publication date (2025-06-09).

🛡️ **Workaround**: 1️⃣ **Disable/Uninstall** the plugin immediately. 2️⃣ **Restrict Access**: Block plugin endpoints via WAF if uninstallation isn't possible. 3️⃣ **Monitor**: Watch for new Admin account creations.

🔴 **Priority**: CRITICAL. ⚡ **Urgency**: IMMEDIATE ACTION REQUIRED. 📢 **Reason**: Unauthenticated RCE/Privilege Escalation with PoC available. High impact on confidentiality, integrity, and availability.