SQL Injection Vulnerability in Custom CSS-JS-PHP WordPress Plugin by Custom Software Solutions
CVE-2026-6433

Currently unrated

Key Information:

Vendor: WordPress
Status: Custom Css-js-PHP
Vendor: CVE Published:; 11 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-6433?

The Custom CSS-JS-PHP WordPress plugin prior to version 2.0.7 contains a vulnerability that allows attackers to inject malicious SQL code due to inadequate input sanitization. This flaw enables unauthenticated users to execute arbitrary PHP code on the server by passing unverified data to an eval() function. As a result, this vulnerability poses a significant risk to Web applications using this plugin, making it imperative for users to update to the latest version to mitigate potential exploitation.

Affected Version(s)

Custom css-js-php 2.0.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-6433 - Proof of Concept

References

https://wpscan.com/vulnerability/a0b1c059-e156-4402-ac8d-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 11, 2026
👾
Exploit known to exist
May 11, 2026
Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

John Umoru

WPScan

CVE-2026-6433 Data

JSON