← back
CVE-2026-6433

Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE

CVSS 7.3 HIGHEPSS 0.8%
Vexday Risk Score
56Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 7.3EPSS 0.8%KEV nãoPoC públicaNuclei simMetasploit Patch
Lifecycle
11 May 2026Published on NVD
16 May 2026Public PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →