๐Ÿ” CVE Alert

CVE-2026-6433

HIGH 7.3

Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE

CVSS Score
7.3
EPSS Score
0.0%
EPSS Percentile
5th

The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.

Vendor unknown
Product custom css-js-php
Published May 11, 2026
Last Updated May 11, 2026
Stay Ahead of the Next One

Get instant alerts for unknown custom css-js-php

Be the first to know when new high vulnerabilities affecting unknown custom css-js-php are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Custom css-js-php
2.0.7 โ‰ค 2.0.7

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/a0b1c059-e156-4402-ac8d-67f8ad7386cc/

Credits

John Umoru WPScan