CVE-2026-6433

HIGH

Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE

Title source: cna
STIX 2.1

Description

The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.

References (1)

Core 1
Core References
Exploit exploit vdb-entry technical-description
https://wpscan.com/vulnerability/a0b1c059-e156-4402-ac8d-67f8ad7386cc/

Scores

CVSS v3 7.3
EPSS 0.0003
EPSS Percentile 8.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

Status published
Products (1)
None/Custom css-js-php 2.0.7
Published May 11, 2026
Tracked Since May 11, 2026