CVE-2026-6433
published 2026-05-11CVE-2026-6433: The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval()…
PriorityP276high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
0.75%
50.4th percentile
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.
Detection & IOCsextracted from sources · hover to see the quote
commandaction=fc_ajax_call&operation=wce_editor_inline_code&id=0+UNION+SELECT+1,'t','php',0x3c3f7068702066696c655f7075745f636f6e74656e74732827{{hex_encode(filename)}}2e747874272c27{{hex_encode(marker)}}27293b203f3e,'header','',0,1--+↗
commandaction=fc_ajax_call&operation=wce_editor_inline_code&id=0+UNION+SELECT+1,'t','php',0x3c3f7068702040756e6c696e6b2827{{hex_encode(filename)}}2e74787427293b203f3e,'header','',0,1--+↗
bytes↗
0x3c3f706870 (<?php prefix in hex, injected via UNION SELECT payload)
- →Exploit targets the unauthenticated AJAX action 'fc_ajax_call' with operation 'wce_editor_inline_code' via POST to /wp-admin/admin-ajax.php; no authentication is required. ↗
- →Attack uses a UNION-based SQL injection in the 'id' parameter to inject a PHP file_put_contents() payload encoded in hex, writing a .txt file under /wp-admin/; detect POST requests to admin-ajax.php with 'id' containing UNION SELECT and hex-encoded PHP tags. ↗
- →Second-stage payload uses PHP @unlink() to clean up the dropped file; monitor for POST to admin-ajax.php with hex-encoded 0x3c3f706870 (<?php) in the id parameter body. ↗
- →Unauthenticated SQL injection result is passed to eval(), enabling arbitrary PHP code execution; monitor for eval() calls originating from the custom-css-js-php plugin context. ↗
- →Shodan fingerprint for exposed targets: http.component:"WordPress"; combine with detection of the fc_ajax_call action in web logs. ↗
- ·The Nuclei template uses randomized filename and marker variables per execution ({{rand_text_alpha(8)}} and {{rand_text_alpha(12)}}), so the dropped .txt file path and its content marker will differ on every exploit attempt — static string matching on the filename alone is insufficient. ↗
- ·The exploit is a three-step flow (inject → verify file write → cleanup); detection must correlate all three requests. A 200 or 500 response on the first POST is considered a success condition by the template. ↗
- ·Affected versions are 2.0.7 and below; the vulnerability is exploitable without any authentication (PR:N, UI:N), so no session or cookie indicators will be present in attacker traffic. ↗
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c697-h8w8-m356: The Custom css-js-php WordPress plugin through 2
ghsa_unreviewed·2026-05-11
CVE-2026-6433 [HIGH] GHSA-c697-h8w8-m356: The Custom css-js-php WordPress plugin through 2
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.
VulnCheck
Improper Control of Generation of Code ('Code Injection')
vulncheck·2026·CVSS 7.3
CVE-2026-6433 [HIGH] Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection')
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://ctrlaltintel.com/research/Wordpress/
Exploit PoC: https://vulncheck.com/xdb/9775405c3687
No detection rules found.
Nuclei
FlipperCode Custom CSS, JS & PHP <= 2.0.7 - Remote Code Execution
nuclei·CVSS 7.3
CVE-2026-6433 [HIGH] FlipperCode Custom CSS, JS & PHP <= 2.0.7 - Remote Code Execution
FlipperCode Custom CSS, JS & PHP <= 2.0.7 - Remote Code Execution
Custom css-js-php WordPress plugin through 2.0.7 contains a command injection caused by unsanitized user input used in SQL query and passed to eval(), letting unauthenticated attackers execute arbitrary PHP code on the server.
Template:
id: CVE-2026-6433
info:
name: FlipperCode Custom CSS, JS & PHP <= 2.0.7 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
Custom css-js-php WordPress plugin through 2.0.7 contains a command injection caused by unsanitized user input used in SQL query and passed to eval(), letting unauthenticated attackers execute arbitrary PHP code on the server.
impact: |
Unauthenticated attackers can execute arbitrary PHP code on the server, leading to full server compromise
No writeups or analysis indexed.
2026-05-11
Published
Exploited in the wild