Platform
wordpress
Component
custom-login-and-signup-widget
Fixed in
1.0.1
CVE-2025-49029 describes a Code Injection vulnerability within the Custom Login And Signup Widget, a WordPress plugin. This flaw allows attackers to inject malicious code, potentially gaining unauthorized access and control over the affected WordPress site. Versions 0.0.0 through 1.0 are vulnerable, and a patch is available in version 1.0.1.
The Code Injection vulnerability allows an attacker to execute arbitrary code on the server hosting the WordPress site. This could involve stealing sensitive data (user credentials, database information, customer data), modifying website content, installing malware, or even taking complete control of the server. The impact is particularly severe because WordPress sites often handle sensitive information and are critical for business operations. Successful exploitation could lead to significant financial losses, reputational damage, and legal liabilities. The ability to inject code opens the door to a wide range of malicious activities, effectively granting the attacker a backdoor into the system.
This vulnerability was publicly disclosed on 2025-07-01. The severity is rated as CRITICAL (CVSS 9.1), indicating a high probability of exploitation. Currently, there are no publicly available Proof-of-Concept (PoC) exploits, but the nature of the vulnerability suggests it is likely to be targeted by malicious actors. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.30% (53% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Custom Login And Signup Widget plugin to version 1.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct workaround is not available, implementing a Web Application Firewall (WAF) with rules to filter potentially malicious code injection attempts can provide an additional layer of defense. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
Update the Custom Login And Signup Widget plugin to the latest available version to mitigate the code injection vulnerability. Check the plugin page on WordPress.org for the latest version and update instructions. Consider disabling or removing the plugin if it is not essential.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49029 is a critical vulnerability allowing attackers to inject code into the Custom Login And Signup Widget WordPress plugin, potentially leading to full system compromise.
You are affected if you are using Custom Login And Signup Widget versions 0.0.0 through 1.0. Check your plugin versions immediately.
Upgrade the plugin to version 1.0.1 or later to resolve the vulnerability. If upgrading is not possible, temporarily disable the plugin.
While no public exploits are currently available, the vulnerability's severity suggests it is likely to be targeted. Monitor security advisories.
Refer to the plugin developer's website or WordPress plugin repository for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.