What the vulnerability does
01Description
Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through <= 1.0.
Explanation of Vulnerability in Simple Terms
02Summary
The Custom Login And Signup Widget for bitto.kazi contains a code injection vulnerability in versions up to 1.0. An authenticated administrator can inject and execute arbitrary code through the widget's input handling. This allows complete compromise of the site, including data theft, modification, and service disruption. Update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Run arbitrary code on the site with full system access.
Potential impact on your site
04Site Impact
A compromised admin account can execute code, steal data, modify content, and disable the site.
Conditions required to exploit
05Prerequisites
Attacker must have administrator-level access to the site.
Key dates
06Disclosure timeline
July 1, 2025
CVE published
April 28, 2026
Record updated