CVE-2025-9887: 
WordPress vulnerability analysis and mitigation

The Custom Login And Signup Widget plugin for WordPress has been identified with a Cross-Site Request Forgery vulnerability (CVE-2025-9887), discovered and disclosed on September 19, 2025. This vulnerability affects all versions up to and including 1.0 of the plugin (Wordfence).

The vulnerability stems from missing or incorrect nonce validation in the /frndzk_adminclsw.php file. The CVSS v3.1 base score is 4.3 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

If successfully exploited, the vulnerability allows unauthenticated attackers to modify email and username settings through forged requests. This can occur when an attacker successfully tricks a site administrator into performing specific actions, such as clicking on a malicious link (NVD).

As of the vulnerability disclosure, no official patch has been released. Website administrators using the Custom Login And Signup Widget plugin should consider temporarily disabling the plugin until a security update is available (Wordfence).