CVE-2026-6433

High

Published: 11 May 2026

Published

11 May 2026

Modified

12 May 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0003 8.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6433 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 7.3 (High).

Operationally, ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): None listed

References

https://wpscan.com/vulnerability/a0b1c059-e156-4402-ac8d-67f8ad7386cc/
contact@wpscan.com