Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Custom css-js-php

Source -

CNA

CNA CVEs -

2

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
2Vulnerabilities found
CVE-2026-6433
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-11 May, 2026 | 06:00
Updated-11 May, 2026 | 06:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE

The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.

Action-Not Available
Vendor-Unknown
Product-Custom css-js-php
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-4418
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 33.06%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 07:29
Updated-08 Apr, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Custom CSS, JS & PHP <= 2.0.7 - Cross-Site Request Forgery Bypass

The Custom CSS, JS & PHP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to save code snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-wpfactoryflippercode
Product-custom_css\,_js_\&_phpCustom css-js-php
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)