CVE-2026-6433
HIGH EXPLOITED NUCLEICustom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to Remote Code Execution
Title source: manualExploitation Summary
CVE-2026-6433 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including murrez. A Nuclei detection template is also available.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-6433, targeting FlipperCode Custom CSS, JS & PHP <= 2.0.7. The exploit chains unauthenticated SQL injection with remote code execution via eval(), allowing arbitrary command execution on vulnerable WordPress installations.
Description
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.
Exploits (1)
This repository contains a functional exploit for CVE-2026-6433, targeting FlipperCode Custom CSS, JS & PHP <= 2.0.7. The exploit chains unauthenticated SQL injection with remote code execution via eval(), allowing arbitrary command execution on vulnerable WordPress installations.
Nuclei Templates (1)
http.component:"WordPress"
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L