HIGHCVE-2026-6433Published Modified CNA WPScan
CVE-2026-6433: Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.
Metrics
- CVSS v3.1
- 7.3
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
Affected packages
- Unknown / Custom css-js-php≤ 2.0.7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LReferences