CVE-2025-49029: 
WordPress vulnerability analysis and mitigation

A code injection vulnerability (CVE-2025-49029) was discovered in the WordPress Custom Login And Signup Widget plugin version 1.0 and earlier. The vulnerability was reported on June 19, 2025, and publicly disclosed on July 1, 2025. This security flaw affects the bitto.Kazi Custom Login And Signup Widget component and allows for arbitrary code execution (Patchstack).

The vulnerability is classified as an Improper Control of Generation of Code (CWE-94) issue. It received a CVSS v3.1 score of 9.1 (Critical) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs high privileges, requires no user interaction, and can potentially impact confidentiality, integrity, and availability at high levels (NVD).

The vulnerability could allow a malicious actor with administrator privileges to execute arbitrary code on the affected WordPress site. This type of vulnerability presents a significant risk as it could lead to complete system compromise, allowing attackers to take control of the affected website (Patchstack).

As there is no official fix available for this vulnerability, the recommended mitigation is to completely remove and replace the plugin with a secure alternative. Deactivating the plugin alone does not remove the security threat unless a virtual patch is deployed (Patchstack).