{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9887", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T22:24:44.959Z", "datePublished": "2025-09-20T06:43:20.390Z", "dateUpdated": "2026-04-08T17:33:08.929Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:08.929Z"}, "affected": [{"vendor": "bittokazi", "product": "Custom Login And Signup Widget", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Custom Login And Signup Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in the /frndzk_adminclsw.php file. This makes it possible for unauthenticated attackers to change the email and username settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Custom Login And Signup Widget <= 1.0 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f478db7f-6339-446e-b00d-0710707e679a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-login-and-signup-widget/tags/1.0/frndzk_adminclsw.php#L3"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "joseph kanko"}], "timeline": [{"time": "2025-09-19T18:23:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-22T14:53:44.705068Z", "id": "CVE-2025-9887", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-22T14:53:57.815Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9887", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-22T14:53:44.705068Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-22T14:53:47.990Z"}}], "cna": {"title": "Custom Login And Signup Widget <= 1.0 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "joseph kanko"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "bittokazi", "product": "Custom Login And Signup Widget", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-19T18:23:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f478db7f-6339-446e-b00d-0710707e679a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-login-and-signup-widget/tags/1.0/frndzk_adminclsw.php#L3"}], "descriptions": [{"lang": "en", "value": "The Custom Login And Signup Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in the /frndzk_adminclsw.php file. This makes it possible for unauthenticated attackers to change the email and username settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:08.929Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9887", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:08.929Z", "dateReserved": "2025-09-02T22:24:44.959Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-20T06:43:20.390Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Custom Login And Signup Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in the /frndzk_adminclsw.php file. This makes it possible for unauthenticated attackers to change the email and username settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9887", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-20T07:15:36.513", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/custom-login-and-signup-widget/tags/1.0/frndzk_adminclsw.php#L3"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f478db7f-6339-446e-b00d-0710707e679a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:29:29.468001+00:00", "value": {"mitigation_remediation": ["Update the Custom Login And Signup Widget plugin to a version newer than 1.0 as soon as it becomes available", "Review the plugin\u2019s post\u2011back handling and enforce nonce validation on all administrative actions to prevent CSRF", "If an update is unavailable, block or filter POST requests to the frndzk_adminclsw.php endpoint using a web application firewall or by disabling the affected admin page"], "summary": {"action": "Apply patch", "impact": "Unauthorized account setting modification"}, "threat_synthesis": {"affected_systems": "Vulnerable installations are all versions of the Bittokazi Custom Login And Signup Widget that are up to and including v1.0. No other versions are known to be affected.", "description_and_impact": "The Custom Login And Signup Widget plugin for WordPress contains a CSRF flaw caused by missing or incorrect nonce validation in the frndzk_adminclsw.php file. This allows an unauthenticated attacker to forge requests that alter a site administrator\u2019s email and username settings. The impact is the unauthorized modification of domain\u2011level account information, which can compromise administrative control of the site. The weakness is classified as CWE\u2011352.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to trick a site administrator into clicking a crafted link or submitting a malicious form, which then triggers the forged request to change the email and username settings. The requirement of a privileged user interaction keeps the attack surface limited, but once achieved it can lead to administrative takeover of the site."}}}}, "created": "2025-09-22T09:58:52.143596+00:00", "updated": "2026-04-20T19:30:06.173024+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}