← back
CVE-2025-49029

WordPress Custom Login And Signup Widget plugin <= 1.0 - Arbitrary Code Execution vulnerability

CVSS 9.1 CRITICALEPSS 2.1%CWE-94
Vexday Risk Score
63High priority
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.1EPSS 2.1%KEV nãoPoC públicaNuclei simMetasploit Patch
Lifecycle
01 Jul 2025Published on NVD
01 Jul 2025Public PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through <= 1.0.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected products
bitto.kazi · Custom Login And Signup Widget
public PoCs found1
githubgithub.com/Nxploited/CVE-2025-490292
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://patchstack.com/database/Wordpress/Plugin/custom-login-and-signup-widget/vulnerability/wordpress-custom-login-and-signup-widget-plugin-1-0-arbitrary-code-execution-vulnerability?_s_id=cve