CVE-2026-6433

CVE-2026-6433: Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE

Vendor Unknown

Product Custom css-js-php

Published May 11, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.

Key dates

Disclosure timeline

May 11, 2026 CVE published

May 11, 2026 Record updated