Description
Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through <= 1.0.
Published: 2025-07-01
Score: 9.1 Critical
EPSS: 2.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Custom Login And Signup Widget plugin for WordPress contains an Improper Control of Generation of Code flaw that allows a malicious user to inject and execute arbitrary PHP code on the host server. The vulnerability arises when the plugin processes user‑supplied input without proper validation or escaping, enabling attackers to craft specially designed requests that are evaluated as code by the server. If exploited, an attacker could gain full control of the website, read or modify sensitive data, install backdoors, or use the server to launch further attacks.

Affected Systems

Affects the bitto.kazi Custom Login And Signup Widget plugin version 1.0 and all earlier releases. WordPress sites that have this plugin installed and enabled are potentially vulnerable. The issue is present in all builds up to and including version 1.0.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity. However, the EPSS score is reported as 2%, suggesting that, at the time of analysis, the probability of exploitation in the wild is low. The vulnerability is not listed in CISA’s KEV catalog, which also points to a lower current threat pressure. The likely attack vector is a web‑based form that is exposed to unauthenticated users; an attacker must supply crafted input through the login or signup widget, but no elevated privileges are required. Because the flaw allows remote code execution, any successful exploitation results in complete compromise of the affected site.

Generated by OpenCVE AI on June 18, 2026 at 06:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest available version of the plugin (any release newer than 1.0) if an update is available.
  • If no update is available, disable or remove the plugin to stop its functionality.
  • Deploy a Web Application Firewall rule or input filter to block malicious payloads on the login and signup endpoints.
  • Perform a security audit to look for unauthorized files or code modifications that may have been introduced by a compromise.

Generated by OpenCVE AI on June 18, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19622 Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0. Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Tue, 01 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 01 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0.
Title WordPress Custom Login And Signup Widget plugin <= 1.0 - Arbitrary Code Execution vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:57.574Z

Reserved: 2025-05-30T14:04:14.279Z

Link: CVE-2025-49029

cve-icon Vulnrichment

Updated: 2025-07-01T13:40:06.833Z

cve-icon NVD

Status : Deferred

Published: 2025-07-01T14:15:39.750

Modified: 2026-06-17T09:30:40.927

Link: CVE-2025-49029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T07:00:16Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')