CVE-2026-6433 Overview
CVE-2026-6433 affects the Custom css-js-php WordPress plugin through version 2.0.7. The plugin fails to sanitize user input before incorporating it into a SQL query, and the query result is then passed directly to PHP eval(). Unauthenticated attackers can leverage this flow to execute arbitrary PHP code on the host server. The vulnerability combines SQL Injection with Code Injection, producing a pre-authentication remote code execution path against any WordPress site running the affected plugin.
Critical Impact
Unauthenticated attackers can execute arbitrary PHP code on the WordPress server, leading to full site compromise and potential lateral movement into the underlying host.
Affected Products
- Custom css-js-php WordPress plugin versions through 2.0.7
- WordPress installations with the plugin enabled
- Any hosting environment exposing the affected WordPress instance to the network
Discovery Timeline
- 2026-05-11 - CVE-2026-6433 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-6433
Vulnerability Analysis
The Custom css-js-php plugin accepts attacker-controlled input and concatenates it into a SQL statement without proper sanitization or parameterization. This first stage represents a SQL Injection flaw [CWE-89]. The plugin then takes the value returned from the SQL query and passes it directly to PHP eval(), which evaluates the string as PHP source code. This second stage represents a Code Injection flaw [CWE-94].
Because the input flows from an unauthenticated request into both the SQL layer and the eval() sink, attackers do not need credentials or user interaction. A single crafted HTTP request can plant attacker-controlled data in the database response path and trigger PHP execution.
Successful exploitation yields code execution under the web server user. Attackers can drop webshells, harvest database credentials from wp-config.php, modify plugin or theme files, create administrator accounts, and pivot to other tenants on shared hosting.
Root Cause
The root cause is dual: missing input sanitization on a SQL query parameter, and the use of eval() on data influenced by untrusted input. Either issue alone would be a defect; together they form an unauthenticated remote code execution chain.
Attack Vector
The attack vector is network-based. An attacker sends an HTTP request to the vulnerable plugin endpoint with a crafted payload designed to manipulate the SQL query and place PHP code into the value that the plugin subsequently evaluates. No authentication or user interaction is required. Technical specifics are documented in the WPScan Vulnerability Report.
Detection Methods for CVE-2026-6433
Indicators of Compromise
- Unexpected PHP files in the WordPress wp-content/uploads, plugin, or theme directories following requests to Custom css-js-php endpoints
- New administrator accounts in wp_users that were not created by site operators
- Outbound connections from the PHP-FPM or web server process to unfamiliar IP addresses immediately after plugin endpoint access
- Web server logs showing requests to plugin URLs containing SQL meta-characters such as UNION SELECT, quotes, or PHP tags
Detection Strategies
- Inspect HTTP access logs for requests targeting Custom css-js-php plugin paths combined with SQL syntax or <?php markers in parameters
- Monitor PHP process telemetry for spawning of shells (sh, bash), curl, or wget from the web server user context
- Hash plugin and theme files and alert on modifications outside of administrator-initiated updates
Monitoring Recommendations
- Forward web server, PHP error, and WordPress audit logs to a central analytics platform for correlation
- Track database query patterns from the WordPress application user and alert on anomalous SELECT clauses originating from plugin code paths
- Enable file integrity monitoring on the WordPress installation root
How to Mitigate CVE-2026-6433
Immediate Actions Required
- Disable and remove the Custom css-js-php plugin if a patched version is not available for your installation
- Rotate WordPress administrator passwords, database credentials, and any API keys stored in wp-config.php
- Review user accounts and scheduled tasks (wp_optionscron) for unauthorized entries
- Restore from a known-good backup if indicators of compromise are present
Patch Information
No fixed version is identified in the available advisory data. The plugin is reported vulnerable through version 2.0.7. Monitor the WPScan Vulnerability Report for vendor updates and apply any released patch as soon as it becomes available.
Workarounds
- Remove the plugin from the WordPress installation until a verified patch is released
- Block external access to plugin endpoints at the web application firewall using rules that filter SQL meta-characters and PHP tags in request parameters
- Restrict the WordPress database user to the minimum privileges required, limiting the impact of injected queries
# Configuration example: disable the plugin via WP-CLI
wp plugin deactivate custom-css-js-php
wp plugin delete custom-css-js-php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
