CVE-2026-6433: WordPress Plugin SQLi Enables Unauthenticated PHP Code Execution

Executive Summary

A high-severity vulnerability (CVE-2026-6433) has been disclosed in the Custom css-js-php WordPress plugin, affecting all versions through 2.0.7. The flaw is a SQL injection in user-supplied input that is subsequently passed to dynamic PHP code execution, allowing an unauthenticated attacker to execute arbitrary PHP code on the web server.

The vulnerability carries a CVSS score of 7.3 (High) and requires no authentication, making it exploitable by any remote attacker who can reach the vulnerable WordPress installation.

Site owners running the Custom css-js-php plugin version 2.0.7 or earlier should remove or update the plugin immediately.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-6433
CVSS Score	7.3 (High)
CWE	CWE-89 — SQL Injection
Type	SQL Injection leading to Remote Code Execution
Attack Vector	Network
Privileges Required	None (unauthenticated)
User Interaction	None
Patch Available	Check plugin repository for updated version

Affected Versions

Plugin	Affected Versions	Fixed Version
Custom css-js-php	<= 2.0.7	Pending / Remove plugin

Technical Analysis

Root Cause

The Custom css-js-php plugin allows site administrators to inject custom CSS, JavaScript, and PHP code into WordPress pages. The vulnerability arises from a failure to sanitize user-controlled input before incorporating it into a SQL query.

The critical chain:

SQL Injection — Unsanitized input is embedded directly into a SQL query executed against the WordPress database (CWE-89)
Dynamic Code Execution — The SQL query result is passed to a PHP dynamic code execution function, which interprets the returned string as live PHP code

This two-stage attack chain transforms a SQL injection into unauthenticated remote code execution. An attacker can inject malicious SQL that returns a PHP payload, which is then executed server-side with the privileges of the web server process.

Attack Flow

1. Attacker sends crafted HTTP request to vulnerable endpoint
2. Unsanitized user input is embedded in SQL query
3. SQL query executes against WordPress database (wp_*)
4. Attacker-controlled SQL result is returned to PHP
5. Result is passed to dynamic code execution
6. Attacker's PHP payload executes on the server
7. Full server compromise possible (webshell, data exfiltration, pivot)

Exploitation Conditions

Custom css-js-php plugin version 2.0.7 or earlier must be installed and active
No authentication is required — any remote user can trigger the vulnerability
The endpoint must be reachable over the network

Impact Assessment

Impact Area	Description
Remote Code Execution	Arbitrary PHP runs with web server process privileges
Data Exfiltration	WordPress database contents (users, posts, settings) accessible
Full Site Takeover	Attacker can modify files, install backdoors, create admin accounts
Hosting Environment Pivot	Shared hosting compromise may affect other sites on the same server
Persistent Backdoor	Webshells or rogue admin accounts enable persistent access
SEO Spam / Defacement	Attackers commonly inject spam links or deface compromised WordPress sites

Immediate Remediation

Step 1: Remove or Update the Plugin

If a patched version is not yet available, deactivate and delete the plugin immediately:

# Via WP-CLI
wp plugin deactivate custom-css-js-php
wp plugin delete custom-css-js-php
 
# Verify removal
wp plugin list | grep custom-css-js-php

Or via WordPress Admin: Plugins > Installed Plugins > Custom css-js-php > Deactivate > Delete.

Step 2: Audit for Compromise

# Check for recently created administrator accounts
wp user list --role=administrator --fields=user_login,user_email,user_registered
 
# Search for recently modified PHP files (potential webshells)
find /path/to/wordpress/ -name "*.php" -newer /path/to/wordpress/wp-includes/version.php \
  -not -path "*/cache/*" -type f
 
# Check WordPress options for unexpected values
wp option get siteurl
wp option get home
 
# Look for unauthorized plugin activations
wp plugin list --status=active

Step 3: Harden WordPress

# Force password reset for all administrator accounts
wp user list --role=administrator --format=ids | \
  xargs -I {} wp user update {} --user_pass="$(openssl rand -base64 24)"
 
# Regenerate WordPress secret keys and salts
wp config shuffle-salts
 
# Invalidate all existing sessions
wp db query "DELETE FROM wp_usermeta WHERE meta_key = 'session_tokens';"

Step 4: Review Web Server Logs

# Search for suspicious requests to the vulnerable endpoint (adjust path as needed)
grep -i "custom-css-js-php\|admin-ajax.php" /var/log/apache2/access.log | \
  grep -v "200\|301\|304" | tail -100
 
# Look for POST requests with unusually large bodies (potential injection payloads)
grep "POST" /var/log/nginx/access.log | awk '$10 > 5000' | tail -50

Detection Indicators

Indicator	Description
Unexpected PHP file modifications	Webshell or backdoor installation
New administrator accounts	Attacker persistence mechanism
Unusual POST requests to admin endpoints	Active exploitation attempts
Database queries containing PHP code	SQLi payload in query logs
Outbound connections from web server	Post-compromise exfiltration or C2

Workarounds

If immediate plugin removal is not possible:

Web Application Firewall (WAF) — Deploy Wordfence, Sucuri, or Cloudflare WAF with WordPress rule sets to block SQL injection patterns
IP Allowlisting — Restrict access to the WordPress admin area to known IP ranges
Disable the plugin — Deactivation alone prevents exploitation even if the files remain on disk

Post-Remediation Checklist

Remove Custom css-js-php plugin version 2.0.7 or earlier
Audit all administrator accounts — remove unauthorized entries
Reset all admin passwords and regenerate WordPress secret keys
Invalidate all active sessions
Scan for webshells in wp-content/ and other writable directories
Review web server access logs for prior exploitation indicators
Enable two-factor authentication on all administrator accounts
Deploy a WAF with WordPress rule sets
Consider a full file integrity check against a known-good backup

References

Executive Summary

The vulnerability carries a CVSS score of 7.3 (High) and requires no authentication, making it exploitable by any remote attacker who can reach the vulnerable WordPress installation.

Site owners running the Custom css-js-php plugin version 2.0.7 or earlier should remove or update the plugin immediately.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-6433
CVSS Score	7.3 (High)
CWE	CWE-89 — SQL Injection
Type	SQL Injection leading to Remote Code Execution
Attack Vector	Network
Privileges Required	None (unauthenticated)
User Interaction	None
Patch Available	Check plugin repository for updated version

Affected Versions

Plugin	Affected Versions	Fixed Version
Custom css-js-php	<= 2.0.7	Pending / Remove plugin

Technical Analysis

Root Cause

The critical chain:

SQL Injection — Unsanitized input is embedded directly into a SQL query executed against the WordPress database (CWE-89)
Dynamic Code Execution — The SQL query result is passed to a PHP dynamic code execution function, which interprets the returned string as live PHP code

Attack Flow

1. Attacker sends crafted HTTP request to vulnerable endpoint
2. Unsanitized user input is embedded in SQL query
3. SQL query executes against WordPress database (wp_*)
4. Attacker-controlled SQL result is returned to PHP
5. Result is passed to dynamic code execution
6. Attacker's PHP payload executes on the server
7. Full server compromise possible (webshell, data exfiltration, pivot)

Exploitation Conditions

Custom css-js-php plugin version 2.0.7 or earlier must be installed and active
No authentication is required — any remote user can trigger the vulnerability
The endpoint must be reachable over the network

Impact Assessment

Impact Area	Description
Remote Code Execution	Arbitrary PHP runs with web server process privileges
Data Exfiltration	WordPress database contents (users, posts, settings) accessible
Full Site Takeover	Attacker can modify files, install backdoors, create admin accounts
Hosting Environment Pivot	Shared hosting compromise may affect other sites on the same server
Persistent Backdoor	Webshells or rogue admin accounts enable persistent access
SEO Spam / Defacement	Attackers commonly inject spam links or deface compromised WordPress sites

Immediate Remediation

Step 1: Remove or Update the Plugin

If a patched version is not yet available, deactivate and delete the plugin immediately:

# Via WP-CLI
wp plugin deactivate custom-css-js-php
wp plugin delete custom-css-js-php
 
# Verify removal
wp plugin list | grep custom-css-js-php

Or via WordPress Admin: Plugins > Installed Plugins > Custom css-js-php > Deactivate > Delete.

Step 2: Audit for Compromise

# Check for recently created administrator accounts
wp user list --role=administrator --fields=user_login,user_email,user_registered
 
# Search for recently modified PHP files (potential webshells)
find /path/to/wordpress/ -name "*.php" -newer /path/to/wordpress/wp-includes/version.php \
  -not -path "*/cache/*" -type f
 
# Check WordPress options for unexpected values
wp option get siteurl
wp option get home
 
# Look for unauthorized plugin activations
wp plugin list --status=active

Step 3: Harden WordPress

# Force password reset for all administrator accounts
wp user list --role=administrator --format=ids | \
  xargs -I {} wp user update {} --user_pass="$(openssl rand -base64 24)"
 
# Regenerate WordPress secret keys and salts
wp config shuffle-salts
 
# Invalidate all existing sessions
wp db query "DELETE FROM wp_usermeta WHERE meta_key = 'session_tokens';"

Step 4: Review Web Server Logs

# Search for suspicious requests to the vulnerable endpoint (adjust path as needed)
grep -i "custom-css-js-php\|admin-ajax.php" /var/log/apache2/access.log | \
  grep -v "200\|301\|304" | tail -100
 
# Look for POST requests with unusually large bodies (potential injection payloads)
grep "POST" /var/log/nginx/access.log | awk '$10 > 5000' | tail -50

Detection Indicators

Indicator	Description
Unexpected PHP file modifications	Webshell or backdoor installation
New administrator accounts	Attacker persistence mechanism
Unusual POST requests to admin endpoints	Active exploitation attempts
Database queries containing PHP code	SQLi payload in query logs
Outbound connections from web server	Post-compromise exfiltration or C2

Workarounds

If immediate plugin removal is not possible:

Web Application Firewall (WAF) — Deploy Wordfence, Sucuri, or Cloudflare WAF with WordPress rule sets to block SQL injection patterns
IP Allowlisting — Restrict access to the WordPress admin area to known IP ranges
Disable the plugin — Deactivation alone prevents exploitation even if the files remain on disk

Post-Remediation Checklist

Remove Custom css-js-php plugin version 2.0.7 or earlier
Audit all administrator accounts — remove unauthorized entries
Reset all admin passwords and regenerate WordPress secret keys
Invalidate all active sessions
Scan for webshells in wp-content/ and other writable directories
Review web server access logs for prior exploitation indicators
Enable two-factor authentication on all administrator accounts
Deploy a WAF with WordPress rule sets
Consider a full file integrity check against a known-good backup

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Flow

Exploitation Conditions

Impact Assessment

Immediate Remediation

Step 1: Remove or Update the Plugin

Step 2: Audit for Compromise

Step 3: Harden WordPress

Step 4: Review Web Server Logs

Detection Indicators

Workarounds

Post-Remediation Checklist

References

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Flow

Exploitation Conditions

Impact Assessment

Immediate Remediation

Step 1: Remove or Update the Plugin

Step 2: Audit for Compromise

Step 3: Harden WordPress

Step 4: Review Web Server Logs

Detection Indicators

Workarounds

Post-Remediation Checklist

References