CVE-2026-6433

WordPress · Custom css-js-php

The Custom css-js-php WordPress plugin allows unauthenticated code injection due to improper control of generation of code.

Executive summary

A critical code injection vulnerability exists in the Custom css-js-php WordPress plugin, potentially allowing unauthenticated remote code execution.

Vulnerability

This vulnerability is a CWE-94 Code Injection flaw. It allows an unauthenticated attacker to inject arbitrary code into the WordPress environment, leading to full site compromise.

Business impact

Successful exploitation allows an attacker to execute arbitrary code, which can result in complete loss of confidentiality, integrity, and availability of the WordPress site. While the base CVSS score is 7.3, the Wordfence Intelligence assessment rates this at 9.8 (Critical) due to the ease of unauthenticated exploitation, posing a severe risk to organizational data and operational continuity.

Remediation

Immediate Action: As no patched version is currently available, administrators must immediately deactivate and remove the Custom css-js-php plugin from all WordPress installations.

Proactive Monitoring: Monitor server logs for suspicious PHP execution patterns or unexpected file modifications in the plugin directory.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common injection payloads, though removal remains the only definitive remediation.

Exploitation status

Public Exploit Available: Yes — a public proof-of-concept exists on GitHub and a Nuclei detection template is available.

Analyst recommendation

The severity of this flaw cannot be overstated given the potential for unauthenticated remote code execution. Because no vendor patch is currently available, organizations must prioritize the immediate removal of this plugin to prevent unauthorized access and potential site takeover.