Description
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.
Published: 2026-05-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the Custom css‑js‑php WordPress plugin up to version 2.0.7. A user supplied input is incorporated directly into an SQL statement without proper sanitization. The result of the query is then evaluated by PHP's eval() function, enabling an attacker to inject arbitrary SQL that ultimately injects executable PHP code. Because the plugin does not enforce authentication boundaries, anyone on the internet can trigger the flaw. An attacker can run arbitrary PHP code on the web server with the permissions of the web application, leading to complete compromise of the site and potentially the underlying host.

Affected Systems

Any WordPress installation that has the Custom css‑js‑php plugin installed and is running version 2.0.7 or older is affected. The plugin name is listed by the CNA as Unknown:Custom css‑js‑php; no other vendor or product names are specified.

Risk and Exploitability

The EPSS score of 0.00017 (less than 1%) shows a very low, but non‑zero, probability of exploitation in the wild. The flaw permits trivial unauthenticated exploitation: a crafted request to the plugin’s entry point injects SQL that returns code executed by eval(), leading to remote code execution. Because the plugin does not enforce authentication, any internet user can trigger the vulnerability. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 11, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Custom css‑js‑php plugin to the latest available version, which removes unsanitized SQL queries and eliminates the eval() function, thereby fixing CWE‑89 and CWE‑94.
  • If an upgrade is not feasible, uninstall or disable the plugin immediately to eliminate the vulnerability.
  • Deploy a web application firewall or configure server‑side input validation to reject unsanitized input that could trigger SQL injection (CWE‑89) and to block the use of PHP’s eval() (CWE‑94).

Generated by OpenCVE AI on May 11, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Flippercode
Flippercode custom Css-js-php
Wordpress
Wordpress wordpress
Vendors & Products Flippercode
Flippercode custom Css-js-php
Wordpress
Wordpress wordpress

Mon, 11 May 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
CWE-94

Mon, 11 May 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.
Title Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE
References

Subscriptions

Flippercode Custom Css-js-php
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-05-11T16:25:31.022Z

Reserved: 2026-04-16T17:16:45.865Z

Link: CVE-2026-6433

cve-icon Vulnrichment

Updated: 2026-05-11T16:25:14.595Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T06:16:09.707

Modified: 2026-05-12T14:47:03.570

Link: CVE-2026-6433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T20:15:09Z

Weaknesses