WordPress Custom CSS JS PHP plugin <= 2.0.7 - Unauthenticated SQL Injection to RCE vulnerability

Unauthenticated SQL Injection to RCE vulnerability discovered by John Umoru in WordPress Plugin Custom css-js-php versions = 2.0.7...

CVE-2026-6433

The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval, allowing unauthenticated users to execute arbitrary PHP code on the server...

CVE-2026-6433 Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE

The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval, allowing unauthenticated users to execute arbitrary PHP code on the server...

PT-2026-33983

Name of the Vulnerable Software and Affected Versions Custom css-js-php versions prior to 2.0.8 Description The plugin fails to properly sanitize user input before incorporating it into a SQL query. The resulting output is then passed to the eval function, which enables unauthenticated users to...

CVE-2023-4994

The Allow PHP in Posts and Pages plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.0.4 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server...

CVE-2019-16289

The insert-php aka Woody ad snippets plugin before 2.2.8 for WordPress allows authenticated XSS via the winpitem parameter...

CVE-2025-58892

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in AncoraThemes Tourimo tourimo allows PHP Local File Inclusion.This issue affects Tourimo: from n/a through = 1.2.3...

EUVD-2019-7087

Malware in sbrugna...

EUVD-2022-4837

Malicious code in bioql PyPI...

com.btc.ep:btc-embeddedplatform (>=1.9.2-beta <=2.5.9), io.jenkins.blueocean:blueocean (>=1.27.17 <=1.27.25) +8 more potentially affected by CVE-2025-53651 via org.jenkins-ci.plugins:htmlpublisher (>=1.0 <=1.6)

org.jenkins-ci.plugins:htmlpublisher MAVEN version =1.0, =1.9.2-beta, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.0.0, =1.0.18 Source cves: CVE-2025-53651 Source advisory: OSV:GHSA-367V-5PPJ-2HRX...

CVE-2024-7410

The My Custom CSS PHP & ADS plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.3. This is due the plugin not preventing direct access to the /my-custom-css/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php file and and the file...

WordPress plugin Custom CSS, JS & PHP 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site request forgery vulnerability...

OS Command Injection

snyk-php-plugin is vulnerable to OS Command Injection. The vulnerability is due to improper handling of the current working directory name, allowing code injection if Snyk test is run inside an untrusted PHP project...

Code Injection

Overview snyk-php-plugin is a plugin for the Snyk CLI tool, providing dependency metadata for PHP projects. Affected versions of this package are vulnerable to Code Injection when scanning an untrusted PHP project. The vulnerability can be triggered if Snyk test is run inside the untrusted projec...

org.jenkins-ci.plugins:php (=1.0), org.jenkins-ci.plugins:qftest (>=1.0.0 <=1.0.18) potentially affected by CVE-2024-28151 via org.jenkins-ci.plugins:htmlpublisher (>=1.0 <=1.3)

org.jenkins-ci.plugins:htmlpublisher MAVEN version =1.0, =1.0.0, =1.0.18 Source cves: CVE-2024-28151 Source advisory: OSV:GHSA-478X-M3MX-7J3F...

Remote code execution

The Allow PHP in Posts and Pages plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.0.4 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server...

WordPress Plugin Tags Cloud Manager Cross-Site Scripting Vulnerability

WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the WordPress plugin Tags Cloud Manager, which is caused by improper validation of user-supplied...

org.jenkins-ci.plugins:php (=1.0), org.jenkins-ci.plugins:silk-performer-plugin (>=2.0.0-beta <=2.0.1-beta) potentially affected by CVE-2022-46682 via org.jenkins-ci.plugins:plot (>=1.5 <=2.1.0)

org.jenkins-ci.plugins:plot MAVEN version =1.5, =2.0.0-beta, =2.0.1-beta Source cves: CVE-2022-46682 Source advisory: OSV:GHSA-WGPP-G6V9-7HXP...

org.jenkins-ci.plugins:php (=1.0), org.jenkins-ci.plugins:violation-columns (>=1.0 <=1.6) potentially affected by CVE-2022-45386 via org.jenkins-ci.plugins:violations (=0.7.11)

org.jenkins-ci.plugins:violations MAVEN version =0.7.11 is affected by a known vulnerability. The following packages have a transitive dependency on org.jenkins-ci.plugins:violations and may be impacted: - org.jenkins-ci.plugins:php =1.0 - org.jenkins-ci.plugins:violation-columns =1.0, =1.6 Sourc...

org.jenkins-ci.plugins:php (=1.0), org.jenkins-ci.plugins:silk-performer-plugin (>=2.0.0-beta <=2.0.1-beta) potentially affected by CVE-2022-34783 via org.jenkins-ci.plugins:plot (>=1.5 <=2.1.0)

org.jenkins-ci.plugins:plot MAVEN version =1.5, =2.0.0-beta, =2.0.1-beta Source cves: CVE-2022-34783 Source advisory: OSV:GHSA-HPF7-MMQW-G6VQ...