Analysis updated 2026-05-18
Verify whether a WordPress site running the affected plugin version is vulnerable, with written authorization.
Run a bulk scan across a list of authorized target URLs using multiple threads.
Demonstrate the exploit chain for security research and education.
| murrez/cve-2026-6433 | 0xhassaan/nn-from-scratch | 3ks/embedoc | |
|---|---|---|---|
| Stars | 0 | 0 | — |
| Language | Python | Python | Python |
| Last pushed | — | — | 2023-06-08 |
| Maintenance | — | — | Dormant |
| Setup difficulty | easy | moderate | hard |
| Complexity | 3/5 | 4/5 | 1/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Uses only the Python standard library. Intended strictly for authorized testing, unauthorized use may be illegal.
CVE-2026-6433 is a proof-of-concept security research script that demonstrates a vulnerability in the FlipperCode Custom CSS, JS & PHP WordPress plugin, affecting versions up to and including 2.0.7. The vulnerability allows an attacker who is not logged in to exploit a SQL injection flaw, a type of attack where malicious database commands are smuggled through a web form or request, and use it to achieve remote code execution, meaning arbitrary code can be run on the server hosting the WordPress site. The script is written in Python and uses only the standard library, so no additional packages need to be installed. It operates in two modes: single-target mode, where you point it at one site, and bulk mode, where you supply a text file of URLs and the script tests them concurrently using multiple threads. Various command-line flags control behavior such as running a shell command on the remote host, writing a proof file to the server, skipping automatic cleanup of that file, or running cleanup only. The exploit chain works by sending a specially crafted request to the plugin's admin-ajax.php endpoint, injecting a PHP payload via the SQL flaw, having that payload written to the server's document root, and then optionally fetching the result or running a command through it. This tool is intended strictly for authorized security testing, defensive research, and education. Running it against systems without explicit written permission may violate computer misuse laws.
A proof-of-concept Python script demonstrating an unauthenticated SQL injection to remote code execution flaw in a WordPress plugin.
Mainly Python. The stack also includes Python.
No license file was found in the README.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.