WordPress Plugin Vulnerabilities

Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE

Description

The plugin does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.

Proof of Concept

Affects Plugins

Plugin icon
custom-css-js-php
No known fix

References

CVE
CVE-2026-6433

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
John Umoru
Submitter
John Umoru
Submitter website
https://clarensec.com
Submitter twitter
johnumorujo
Verified
Yes
WPVDB ID
a0b1c059-e156-4402-ac8d-67f8ad7386cc

Timeline

Publicly Published
2026-04-20 (about 3 days ago)
Added
2026-04-20 (about 3 days ago)
Last Updated
2026-04-22 (about 14 hours ago)

Other

Published
Title
Published
2025-01-30
Title
Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg < 1.6.1 - Authenticated (Administrator+) Remote Code Execution
Published
2021-07-05
Title
Speed Booster Pack 4.2.0-beta - Authenticated (admin+) RCE
Published
2024-09-09
Title
Affiliate Super Assistent < 1.5.4 - Unauthenticated Arbitrary Shortcode Execution
Published
2015-04-02
Title
SimpleCart - File Upload & Execution
Published
2024-09-23
Title
MDTF – Meta Data and Taxonomies Filter < 1.3.3.4 - Unauthenticated Arbitrary Shortcode Execution