Description
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.
Published: 2026-05-11
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the Custom css‑js‑php WordPress plugin up to version 2.0.7. A user supplied input is incorporated directly into an SQL statement without proper sanitization. The result of the query is then evaluated by PHP's eval() function, enabling an attacker to inject arbitrary SQL that ultimately injects executable PHP code. Because the plugin does not enforce authentication boundaries, anyone on the internet can trigger the flaw. An attacker can run arbitrary PHP code on the web server with the permissions of the web application, leading to complete compromise of the site and potentially the underlying host.

Affected Systems

Any WordPress installation that has the Custom css‑js‑php plugin installed and is running version 2.0.7 or older is affected. The plugin name is listed by the CNA as Unknown:Custom css‑js‑php; no other vendor or product names are specified.

Risk and Exploitability

Since no EPSS score is available, the exploitation likelihood cannot be quantified. The flaw permits trivial unauthenticated exploitation: sending a crafted request to the plugin’s entry point causes the injected SQL to return code that is executed by eval(), resulting in remote code execution. The lack of authentication checks enables any internet user to trigger the vulnerability.

Generated by OpenCVE AI on May 11, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Custom css‑js‑php plugin to the latest available version, which removes unsanitized SQL queries and eliminates the eval() function, thereby fixing CWE‑89 and CWE‑94.
  • If an upgrade is not feasible, uninstall or disable the plugin immediately to eliminate the vulnerability.
  • Deploy a web application firewall or configure server‑side input validation to reject unsanitized input that could trigger SQL injection (CWE‑89) and to block the use of PHP’s eval() (CWE‑94).

Generated by OpenCVE AI on May 11, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
CWE-94

Mon, 11 May 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.
Title Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-05-11T06:00:01.278Z

Reserved: 2026-04-16T17:16:45.865Z

Link: CVE-2026-6433

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T06:16:09.707

Modified: 2026-05-11T06:16:09.707

Link: CVE-2026-6433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T08:30:31Z

Weaknesses