CVE-2026-6433

HIGH EXPLOITED NUCLEI

Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to Remote Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

CVE-2026-6433 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including murrez. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-6433, targeting FlipperCode Custom CSS, JS & PHP <= 2.0.7. The exploit chains unauthenticated SQL injection with remote code execution via eval(), allowing arbitrary command execution on vulnerable WordPress installations.

Description

The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.

Exploits (1)

nomisec WORKING POC
by murrez · remote
https://github.com/murrez/CVE-2026-6433

This repository contains a functional exploit for CVE-2026-6433, targeting FlipperCode Custom CSS, JS & PHP <= 2.0.7. The exploit chains unauthenticated SQL injection with remote code execution via eval(), allowing arbitrary command execution on vulnerable WordPress installations.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FlipperCode Custom CSS, JS & PHP <= 2.0.7
No auth needed
Prerequisites: WordPress installation with vulnerable plugin active · Network access to target
devstral-2 · analyzed May 16, 2026 Full analysis →

Nuclei Templates (1)

FlipperCode Custom CSS, JS & PHP <= 2.0.7 - Remote Code Execution
CRITICALVERIFIEDby theamanrawat
Shodan: http.component:"WordPress"

References (1)

Core 1
Core References
Exploit exploit vdb-entry technical-description
https://wpscan.com/vulnerability/a0b1c059-e156-4402-ac8d-67f8ad7386cc/

Scores

CVSS v3 7.3
EPSS 0.0075
EPSS Percentile 50.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2026-06-23
Status published
Products (1)
None/Custom css-js-php 2.0.7
Published May 11, 2026
Tracked Since May 11, 2026