The Custom Login And Signup Widget plugin for WordPress contains an Improper Control of Generation of Code flaw that allows a malicious user to inject and execute arbitrary PHP code on the host server. The vulnerability arises when the plugin processes user-supplied input without proper validation or escaping, enabling attackers to craft specially crafted requests that are evaluated as code by the server. If exploited, an attacker could gain full control of the website, read or modify sensitive data, install backdoors, or use the server to launch further attacks.

The flaw affects the bitto.kazi Custom Login And Signup Widget plugin version 1.0 and any earlier releases. WordPress sites that have this plugin installed and enabled are potentially vulnerable. The issue is present in all builds up to and including version 1.0.

The CVSS score of 9.1 indicates a critical severity. However, the EPSS score is reported as less than 1%, suggesting that, at the time of analysis, the probability of exploitation in the wild is low. The vulnerability is not listed in CISA’s KEV catalog, which also points to a lower current threat pressure. The likely attack vector is a web-based form that is exposed to unauthenticated users; an attacker must supply crafted input through the login or signup widget, but no elevated privileges are required. Because the flaw allows remote code execution, any successful exploitation results in complete compromise of the affected site.