Custom css-js-php WordPress Plugin SQLi Leads to RCE (CVE-2026-6433)

Executive Summary

A critical unauthenticated SQL injection vulnerability in the Custom css-js-php WordPress plugin (versions through 2.0.7) allows remote attackers to execute arbitrary PHP code on the server. The flaw, tracked as CVE-2026-6433, carries a CVSS base score of 9.8 and requires no authentication or user interaction. According to the disclosure published by WPScan, the plugin fails to sanitize user-supplied input before incorporating it into a SQL query, and the query result is subsequently passed to PHP's eval() function, creating a direct path to code execution. No patch has been released as of May 11, 2026.

Technical Analysis

The vulnerability resides in the plugin's handling of user input destined for SQL queries. The source material from WPScan states that the plugin "does not properly sanitize user input before using it in a SQL query, and the result is passed to eval()." This two-stage flaw is particularly dangerous: the SQL injection alone could enable data exfiltration from the WordPress database, but the eval() call elevates the impact to full remote code execution (RCE).

An unauthenticated attacker can craft a malicious HTTP request to the plugin's endpoint, injecting SQL commands that alter the query result to include arbitrary PHP code. When the plugin retrieves this result and feeds it to eval(), the attacker-supplied PHP executes with the web server's privileges. This pattern — SQLi chained to eval() — is uncommon but historically devastating; similar vulnerabilities in other WordPress plugins have led to complete site compromise and server takeover.

The plugin's purpose — allowing site administrators to inject custom CSS, JavaScript, and PHP — means it inherently requires elevated permissions for legitimate use. However, CVE-2026-6433 bypasses any access controls, exposing the functionality to unauthenticated users. The exact vulnerable input parameter has not been publicly detailed by WPScan at this writing, likely to allow site owners time to mitigate before active exploitation begins.

Mitigations & Recommendations

As of May 11, 2026, no patched version of Custom css-js-php exists. The plugin's last update (version 2.0.7) predates this disclosure, and the vendor has not responded with a fix. Defenders should take the following steps:

1. Disable the plugin immediately on all WordPress installations where it is active. If custom CSS/JS/PHP injection is required for site functionality, migrate to an alternative plugin with a maintained security posture.
2. Review server access logs for suspicious SQL injection patterns targeting the plugin's endpoints. Look for unusual query parameters containing SQL keywords (UNION, SELECT, INTO OUTFILE) or PHP code fragments (<?php, system(), eval()).
3. Apply a web application firewall (WAF) rule to block requests containing both SQL meta-characters and PHP code strings in the same parameter — a signature that strongly indicates exploitation of this specific flaw.
4. Monitor file integrity on the web root for unexpected PHP files or modifications to existing plugin files, as successful RCE often leads to backdoor deployment.

Given the CVSS 9.8 severity and the absence of a patch, any site running this plugin should treat it as actively compromised until proven otherwise.