CVE-2026-6433

The Custom css-js-php WordPress plugin through version 2.0.7 contains a critical vulnerability that allows unauthenticated attackers to execute arbitrary PHP code on the server. The plugin fails to properly sanitize user-supplied input before incorporating it into a SQL query. The result of that query is then passed directly to PHP's eval() function, enabling code execution [1].

Exploitation requires no authentication, making the attack surface broad. An attacker can send crafted HTTP requests to the vulnerable endpoint, injecting SQL commands that produce a result containing malicious PHP code. When the plugin evaluates this result, the attacker's code runs in the context of the web server.

Successful exploitation grants the attacker full remote code execution capabilities. This can lead to complete compromise of the WordPress site, including data exfiltration, installation of backdoors, and potential lateral movement within the hosting environment.

As of the publication date, no official patch is available. The plugin is affected up to version 2.0.7. Users are advised to disable or remove the plugin immediately and monitor for updates from the vendor. The vulnerability was publicly disclosed on April 20, 2026 [1].