CVE-2026-6433 PUBLISHED

Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE

Assigner: WPScan
Reserved: 16.04.2026 Published: 11.05.2026 Updated: 11.05.2026

The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.

Product Status

Vendor	Unknown
Product	Custom css-js-php
Versions	Default: unknown affected from 2.0.7 to 2.0.7 (incl.)

Credits

John Umoru finder
WPScan coordinator

References

https://wpscan.com/vulnerability/a0b1c059-e156-4402-ac8d-67f8ad7386cc/

Problem Types

CWE-94 Improper Control of Generation of Code ('Code Injection') CWE