Home

Description

The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.

PUBLISHED Reserved 2026-04-16 | Published 2026-05-11 | Updated 2026-05-11 | Assigner WPScan

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unknown

2.0.7 (semver)
affected

Credits

John Umoru finder

WPScan coordinator

References

wpscan.com/...rability/a0b1c059-e156-4402-ac8d-67f8ad7386cc/ exploit vdb-entry technical-description

cve.org (CVE-2026-6433)

nvd.nist.gov (CVE-2026-6433)

Download JSON