{"vulnerability": "CVE-2026-6433", "sightings": [{"uuid": "45af5f37-266f-4a01-a68c-6b6e1790c573", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6433", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlkntaovtw2e", "content": "CVE-2026-6433 - Custom CSS JS PHP\nCVE ID : CVE-2026-6433\n \n Published : May 11, 2026, 6:16 a.m. | 14\u00a0minutes ago\n \n Description : The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed...", "creation_timestamp": "2026-05-11T06:35:06.063072Z"}, {"uuid": "7d6c0387-c343-4315-922d-d868af3bd800", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-6433", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mlkqwfikpf2f", "content": "CRITICAL: Custom css-js-php WordPress plugin <=2.0.7 flaw lets unauthenticated users run arbitrary PHP code. No patch yet \u2014 disable/remove plugin now. https://radar.offseq.com/threat/cve-2026-6433-cwe-94-improper-control-of-generatio-3ad54b4b #OffSeq #WordPress #security", "creation_timestamp": "2026-05-11T07:30:33.072076Z"}, {"uuid": "a5d805f6-d6f4-4845-b8e3-4d78ce063cdf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-6433", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116554768732916983", "content": "\ud83d\udea8 CRITICAL: CVE-2026-6433 in Custom css-js-php <=2.0.7 enables unauthenticated PHP code execution via flawed input handling. No patch or exploit in the wild yet. Disable/remove plugin now. https://radar.offseq.com/threat/cve-2026-6433-cwe-94-improper-control-of-generatio-3ad54b4b #OffSeq #WordPress #vuln #WebSecurity", "creation_timestamp": "2026-05-11T07:30:41.698016Z"}, {"uuid": "4306fd3e-9a78-46ec-9f1d-d82c36813048", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6433", "type": "published-proof-of-concept", "source": "Telegram/8zfghiqhdMgUnQpN-sW_sONu8d5R6D_u0VHsC67HR3Je1Bs", "content": "", "creation_timestamp": "2026-05-16T15:00:07.000000Z"}, {"uuid": "a2489c4a-8bce-459b-bf1a-232ceee98764", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6433", "type": "seen", "source": "https://t.me/GithubRedTeam/84440", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-6433\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a murrez\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-16 10:53:04\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nPoC for CVE-2026-6433: WordPress FlipperCode Custom CSS, JS & PHP (\u22642.0.7) \u2014 unauthenticated SQLi to RCE. Python 3 stdlib; single target or bulk multi-threaded scanning. Authorized testing & research only.\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-16T11:00:04.000000Z"}, {"uuid": "5f9895e0-110d-47cf-a496-36cdae1f2b30", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6433", "type": "confirmed", "source": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-6433.yaml", "content": "", "creation_timestamp": "2026-05-26T09:52:44.000000Z"}, {"uuid": "3fc090e8-1677-4a53-9370-343b7982ca2a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6433", "type": "published-proof-of-concept", "source": "Telegram/Q6p02XdZnb5swhwy89XHNEiDmKSj81wUwVIbU55eyIFVGP4", "content": "", "creation_timestamp": "2026-05-16T11:00:11.000000Z"}]}