CVE-2026-6433 Scanner

FlipperCode Custom CSS, JS & PHP is a plugin used in WordPress to manage and execute custom code, such as CSS, JavaScript, and PHP, within web pages. This plugin is typically utilized by web administrators and developers to enhance and customize website functionality. It provides an interface for inserting code snippets directly into WordPress themes or posts. FlipperCode Custom CSS, JS & PHP is popular for its ease of use and flexibility, allowing non-technical users to make website enhancements without directly modifying theme files. While useful for web customization, it necessitates strict security hygiene to prevent exploitation. The plugin aims to simplify custom code management, but improper handling or vulnerabilities can lead to security risks.

The vulnerability in question is a Remote Code Execution (RCE) flaw found in versions <= 2.0.7 of the Custom CSS, JS & PHP plugin. This vulnerability is caused by unsanitized user input being incorporated into a SQL query and subsequently evaluated, allowing for the execution of arbitrary PHP code on the server. The flaw can be exploited without authentication, making it particularly dangerous as it may allow unauthenticated attackers to take full control of the server hosting the WordPress site. A successful attack could result in unauthorized access to sensitive information, data manipulation, or a complete server takeover. Ensuring that user input is properly validated and sanitized is crucial to preventing such vulnerabilities.

The vulnerable endpoint within the plugin is located in the admin-ajax.php file, which processes requests sent to certain actions and operations. Specifically, the vulnerability resides in how the plugin handles the 'action=fc_ajax_call&operation=wce_editor_inline_code' request parameter, allowing a UNION SELECT query with SQL and PHP payloads to be executed without proper sanitization. This results in payloads being passed to the eval() function, a dangerous PHP function that executes whatever code it receives. By leveraging this flaw, attackers can craft requests that result in arbitrary PHP code being run on the server, potentially leading to the creation and execution of new files with malicious content.

Exploitation of this vulnerability could have severe consequences including, but not limited to, unauthorized access and control over the entire web server. An attacker exploiting this vulnerability could upload additional malicious scripts, execute further commands, or even leverage the server as a launch pad for further attacks against internal or external networks. The integrity, confidentiality, and availability of the server, along with any data it processes, may be compromised. Affected websites could be subjected to defacement, data theft, or service disruptions, highlighting the critical need for rapid patching and secure configuration practices.

REFERENCES

• https://wpscan.com/vulnerability/a0b1c059-e156-4402-ac8d-67f8ad7386cc/
• https://github.com/murrez/CVE-2026-6433
• https://patchstack.com/database/wordpress/plugin/custom-css-js-php/vulnerability/wordpress-custom-css-js-php-plugin-2-0-7-unauthenticated-sql-injection-to-rce-vulnerability
• https://nvd.nist.gov/vuln/detail/CVE-2026-6433