CVE-2026-6433
Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected products
Unknown · Custom css-js-phppublic PoCs found — 2
githubgithub.com/murrez/CVE-2026-6433★ 1cve_referencewpscan.com/vulnerability/a0b1c059-e156-4402-ac8d-67f8ad7386cc/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →