プラットフォーム
wordpress
コンポーネント
custom-login-and-signup-widget
修正版
1.0.1
CVE-2025-49029 describes a Code Injection vulnerability within the Custom Login And Signup Widget, a WordPress plugin. This flaw allows attackers to inject malicious code, potentially gaining unauthorized access and control over the affected WordPress site. Versions 0.0.0 through 1.0 are vulnerable, and a patch is available in version 1.0.1.
The Code Injection vulnerability allows an attacker to execute arbitrary code on the server hosting the WordPress site. This could involve stealing sensitive data (user credentials, database information, customer data), modifying website content, installing malware, or even taking complete control of the server. The impact is particularly severe because WordPress sites often handle sensitive information and are critical for business operations. Successful exploitation could lead to significant financial losses, reputational damage, and legal liabilities. The ability to inject code opens the door to a wide range of malicious activities, effectively granting the attacker a backdoor into the system.
This vulnerability was publicly disclosed on 2025-07-01. The severity is rated as CRITICAL (CVSS 9.1), indicating a high probability of exploitation. Currently, there are no publicly available Proof-of-Concept (PoC) exploits, but the nature of the vulnerability suggests it is likely to be targeted by malicious actors. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress websites utilizing the Custom Login And Signup Widget plugin, particularly those running older, unpatched versions (0.0.0–1.0). Shared hosting environments are at increased risk due to the potential for cross-site contamination if one site is compromised.
• wordpress / composer / npm:
grep -r "bitto.kazi/custom-login-and-signup-widget" * | grep -i "version 1.0" # Check for vulnerable versions
wp plugin list | grep "Custom Login And Signup Widget"• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/custom-login-and-signup-widget/ | grep -i "version"disclosure
エクスプロイト状況
EPSS
0.30% (53% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to immediately upgrade the Custom Login And Signup Widget plugin to version 1.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct workaround is not available, implementing a Web Application Firewall (WAF) with rules to filter potentially malicious code injection attempts can provide an additional layer of defense. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
コードインジェクション (Code Injection) の脆弱性を軽減するために、Custom Login And Signup Widget プラグインを最新バージョンにアップデートしてください。最新バージョンとアップデート手順については、WordPress.org のプラグインページを確認してください。必須でない場合は、プラグインを無効化または削除することを検討してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-49029 is a critical vulnerability allowing attackers to inject code into the Custom Login And Signup Widget WordPress plugin, potentially leading to full system compromise.
You are affected if you are using Custom Login And Signup Widget versions 0.0.0 through 1.0. Check your plugin versions immediately.
Upgrade the plugin to version 1.0.1 or later to resolve the vulnerability. If upgrading is not possible, temporarily disable the plugin.
While no public exploits are currently available, the vulnerability's severity suggests it is likely to be targeted. Monitor security advisories.
Refer to the plugin developer's website or WordPress plugin repository for the latest advisory and updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。