whatisgithub

What is cve-2026-6433?

murrez/cve-2026-6433 — explained in plain English

Analysis updated 2026-05-18

0PythonAudience · developerComplexity · 3/5Setup · easy

In one sentence

A proof-of-concept Python script demonstrating an unauthenticated SQL injection to remote code execution flaw in a WordPress plugin.

Mindmap

mindmap
  root((CVE-2026-6433))
    What it does
      Demonstrates SQLi to RCE
      Targets WordPress plugin
      Single or bulk scanning
    Tech stack
      Python
    Use cases
      Authorized penetration testing
      Security research
    Audience
      Security researchers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Verify whether a WordPress site running the affected plugin version is vulnerable, with written authorization.

USE CASE 2

Run a bulk scan across a list of authorized target URLs using multiple threads.

USE CASE 3

Demonstrate the exploit chain for security research and education.

What is it built with?

Python

How does it compare?

murrez/cve-2026-64330xhassaan/nn-from-scratch3ks/embedoc
Stars00
LanguagePythonPythonPython
Last pushed2023-06-08
MaintenanceDormant
Setup difficultyeasymoderatehard
Complexity3/54/51/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Uses only the Python standard library. Intended strictly for authorized testing, unauthorized use may be illegal.

No license file was found in the README.

So what is it?

CVE-2026-6433 is a proof-of-concept security research script that demonstrates a vulnerability in the FlipperCode Custom CSS, JS & PHP WordPress plugin, affecting versions up to and including 2.0.7. The vulnerability allows an attacker who is not logged in to exploit a SQL injection flaw, a type of attack where malicious database commands are smuggled through a web form or request, and use it to achieve remote code execution, meaning arbitrary code can be run on the server hosting the WordPress site. The script is written in Python and uses only the standard library, so no additional packages need to be installed. It operates in two modes: single-target mode, where you point it at one site, and bulk mode, where you supply a text file of URLs and the script tests them concurrently using multiple threads. Various command-line flags control behavior such as running a shell command on the remote host, writing a proof file to the server, skipping automatic cleanup of that file, or running cleanup only. The exploit chain works by sending a specially crafted request to the plugin's admin-ajax.php endpoint, injecting a PHP payload via the SQL flaw, having that payload written to the server's document root, and then optionally fetching the result or running a command through it. This tool is intended strictly for authorized security testing, defensive research, and education. Running it against systems without explicit written permission may violate computer misuse laws.

Copy-paste prompts

Prompt 1
Explain how this SQL injection to remote code execution exploit chain works, step by step.
Prompt 2
What command-line flags does this PoC support for cleanup and proof file handling?
Prompt 3
Help me understand the legal boundaries of running a PoC like this against a target.
Prompt 4
How does this script target the plugin's admin-ajax.php endpoint?

Frequently asked questions

What is cve-2026-6433?

A proof-of-concept Python script demonstrating an unauthenticated SQL injection to remote code execution flaw in a WordPress plugin.

What language is cve-2026-6433 written in?

Mainly Python. The stack also includes Python.

What license does cve-2026-6433 use?

No license file was found in the README.

How hard is cve-2026-6433 to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is cve-2026-6433 for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.