CVE-2026-6433

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published May 11, 2026

Vendor unknown

Description

The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.

References

https://wpscan.com/vulnerability/a0b1c059-e156-4402-ac8d-67f8ad7386cc/