Impact statement: CVE-2026-6433 affects the Custom css-js-php WordPress plugin through version 2.0.7. WPScan rates it critical and lists no known fix. Because the vulnerable plugin is designed to run custom code inside WordPress, a compromised install can turn into full site takeover, customer-data exposure, spam injection, redirects, malware cleanup work, and hosting-account suspension if it is left online.
This is a protect-only guide. We are not publishing request details, scanner-ready checks, or test instructions. The safe answer for site owners and hosting providers is to find the plugin, preserve a clean backup, disable or remove it, replace the needed snippets with a maintained approach, and review the site for signs of compromise.
Who Is Affected
- WordPress sites with the plugin slug
custom-css-js-phpinstalled. - Sites running Custom css-js-php version 2.0.7 or older.
- Shared hosting accounts where customers installed old code-snippet plugins years ago and forgot about them.
- Agencies and cPanel/WHM providers that host many older WordPress sites with plugins not visible from one central dashboard.
This does not mean WordPress core is vulnerable. The risk is tied to this specific plugin. The plugin has also been out of normal maintenance for years according to public plugin-index data, so do not assume an automatic update will appear and solve this for you.
What To Do Right Now
- Take a backup first. Preserve files and database before changing anything, especially if the site used the plugin to hold important custom code.
- Inventory every WordPress install. Check the plugin list from WordPress admin, WP-CLI, cPanel WordPress Toolkit, Softaculous, Installatron, or your hosting scanner.
- Disable the plugin. If the site breaks, keep it disabled and move required snippets into a reviewed child theme, small mu-plugin, or maintained snippet manager after cleanup.
- Remove the plugin when possible. With no known fixed release, leaving it installed and inactive is still unnecessary risk.
- Review administrator users. Remove accounts you do not recognize and reset passwords for site owners, admins, FTP/SFTP users, database users, and hosting control-panel users.
- Review recently changed files. Focus on plugin, theme, upload, cache, and mu-plugin folders for unexpected executable files or unfamiliar code changes.
- Scan and clean. Use the malware scanner from your hosting account or open a support ticket if the scan output is unclear.
Safe Admin Commands
These commands are normal local admin checks. Run them only on servers you own or administer.
cd /home/ACCOUNT/public_html
wp plugin list --fields=name,version,status
wp plugin deactivate custom-css-js-php
wp plugin delete custom-css-js-phpFor WHM/cPanel providers checking many accounts from a root shell, inventory first and plan customer communication before deleting anything that could contain business logic.
find /home -path '*/wp-content/plugins/custom-css-js-php' -type d -prune -print 2>/dev/nullcPanel And Hosting Provider Checklist
- Run a hosting-wide WordPress plugin inventory for
custom-css-js-php. - Notify customers before removing the plugin if it may contain custom PHP snippets needed by the site.
- Create account-level backups before cleanup.
- Disable the plugin and move required business logic to a reviewed, version-controlled location.
- Review recent file changes, new admin users, cron jobs, redirects, mail forwarders, and unusual PHP errors.
- Run malware scanning after the plugin is disabled and again after cleanup.
- Reset affected WordPress administrator, cPanel, FTP/SFTP, and database passwords if compromise indicators are found.
- Document what was changed and give the customer a short remediation summary.
What To Tell Customers
Keep the message plain. A critical vulnerability was published for an old WordPress plugin used to run custom CSS, JavaScript, and PHP snippets. There is no known fixed version in the advisory, so the plugin should be disabled or removed. If the site depended on code stored in that plugin, the code needs to be reviewed and moved safely before the site is put back into normal operation.
If the site shows unexpected redirects, new admin users, unfamiliar files, spam pages, or search-engine warnings, treat it as a cleanup job instead of a simple plugin removal.
Replacement Path
- Move presentation-only CSS into the active child theme or a maintained custom CSS tool.
- Move frontend JavaScript into the child theme or a reviewed plugin loaded only where needed.
- Move PHP business logic into a small mu-plugin or site-specific plugin under version control.
- Remove unused snippets instead of blindly copying old code into a new tool.
- Test checkout, forms, contact pages, analytics, redirects, and tracking after the migration.
Fix I.T. Phill Position
For this one, we do not recommend waiting for a plugin update. The advisory says no known fix, the affected plugin is old, and the plugin’s purpose makes the blast radius ugly when something goes wrong. Back up the site, disable the plugin, migrate only the code you still need, scan the account, and clean up anything suspicious before calling the job done.