CVE-2025-49029

CRITICAL NUCLEI

bitto.Kazi Custom Login And Signup Widget <1.0 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-49029. PoCs published by Nxploited, Boshe99. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-49029, a code injection vulnerability in the WordPress Custom Login And Signup Widget Plugin. It explains how an authenticated admin can inject arbitrary PHP code via the 'Sender’s Name' field, leading to remote code execution (RCE).

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through <= 1.0.

Exploits (2)

nomisec WRITEUP 2 stars

by Nxploited · poc

https://github.com/Nxploited/CVE-2025-49029

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2025-49029, a code injection vulnerability in the WordPress Custom Login And Signup Widget Plugin. It explains how an authenticated admin can inject arbitrary PHP code via the 'Sender’s Name' field, leading to remote code execution (RCE).

Classification

Writeup 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Custom Login And Signup Widget Plugin <= 1.0

Auth required

Prerequisites: Admin access to WordPress · Plugin version <= 1.0 installed

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-49029

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2025-49029, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the vulnerability by uploading a shell to a vulnerable endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin 3DPrint Lite 1.9.1.4

No auth needed

Prerequisites: Target URL · Shell file path

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

WordPress Custom Login And Signup Widget Plugin <= 1.0 - Arbitrary Code Execution

HIGHVERIFIEDby pussycat0x

FOFA: body="/wp-content/plugins/custom-login-and-signup-widget/"

References (2)

Core 2

Core References

Vdb Entry vdb-entry

https://patchstack.com/database/Wordpress/Plugin/custom-login-and-signup-widget/vulnerability/wordpress-custom-login-and-signup-widget-plugin-1-0-arbitrary-code-execution-vulnerability?_s_id=cve

Third Party Advisory

https://patchstack.com/database/wordpress/plugin/custom-login-and-signup-widget/vulnerability/wordpress-custom-login-and-signup-widget-plugin-1-0-arbitrary-code-execution-vulnerability?_s_id=cve

Scores

CVSS v3 9.1

EPSS 0.0069

EPSS Percentile 72.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

bitto.kazi/Custom Login And Signup Widget < 1.0

Published Jul 01, 2025

Tracked Since Feb 18, 2026