WordPress Plugin Vulnerabilities

Custom Login And Signup Widget <= 1.0 - Authenticated (Administrator+) Remote Code Execution

Description

The Custom Login And Signup Widget plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
custom-login-and-signup-widget
No known fix

References

CVE
CVE-2025-49029
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/055d50de-8a7f-40fa-88e9-f57046c0c450

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Bao
Verified
No
WPVDB ID
1ea5bcfb-6cb6-4447-8450-2a489c91458b

Timeline

Publicly Published
2025-07-01 (about 9 months ago)
Added
2025-07-08 (about 8 months ago)
Last Updated
2025-07-08 (about 8 months ago)

Other

Published
Title
Published
2025-01-03
Title
WP Ultimate Exporter < 2.9.2 - Authenticated (Admin+) Remote Code Execution
Published
2023-08-28
Title
Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE
Published
2024-03-13
Title
WP Fusion Lite < 3.42.10 - Authenticated (Contributor+) Remote Code Execution
Published
2020-05-07
Title
Elementor Pro < 2.9.4 - Authenticated Arbitrary File Upload
Published
2026-01-15
Title
Event Tickets with Ticket Scanner < 2.8.6 - Unauthenticated Remote Code Execution