CVE-2026-6433

Name of the Vulnerable Software and Affected Versions Custom css-js-php versions prior to 2.0.8

Description The plugin fails to properly sanitize user input before incorporating it into a SQL query. The resulting output is then passed to the eval() function, which enables unauthenticated users to execute arbitrary PHP code on the server. This process involves a SQL injection (SQLi) leading to Remote Code Execution (RCE), where an attacker can run commands on the host operating system from a remote machine.

Recommendations Update to a version newer than 2.0.7.