Skip to main content

WPCode CVE-2026-8832

| EUVDEUVD-2026-32100 HIGH
Code Injection (CWE-94)
2026-05-27 security@wordfence.com GHSA-54cw-c4v7-gx5m
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 20:45 vuln.today
CVE Published
May 27, 2026 - 08:16 nvd
HIGH 8.8

DescriptionCVE.org

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.

AnalysisAI

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run arbitrary PHP on the server. Because the plugin registers its 'wpcode' custom post type without a dedicated capability_type, WordPress falls back to standard post capabilities, so any author can create and publish PHP snippet posts via the XML-RPC wp.newPost method, which are later passed to eval() when rendered through the [wpcode] shortcode. EPSS is modest at 0.44% (63rd percentile) and there is no public exploit identified at time of analysis, but the low privilege bar and full CIA impact make this a high-priority patch for any multi-author site.

Technical ContextAI

The vulnerability lives in WPCode's snippet-execution pipeline for WordPress. The root cause is CWE-94 (Improper Control of Generation of Code, i.e. code injection): wpcode_register_post_type() in includes/post-type.php registers the 'wpcode' custom post type without setting capability_type or a map_meta_cap capability set, so WordPress core applies the generic post/page capabilities (edit_posts, publish_posts) rather than an admin-only set. PHP-type snippets are ultimately handled by run_eval() in class-wpcode-snippet-execute-php.php, which calls PHP's native eval() on the snippet body when the [wpcode] shortcode (includes/shortcode.php) renders the snippet. Combined with the create paths exposed by the XML-RPC API (wp.newPost), this turns a content-authoring capability into direct server-side code execution. There is no CPE string in the supplied data; the EUVD entry identifies the affected component as 'WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager' at versions 0 through 2.3.5.

RemediationAI

Vendor-released patch: 2.3.6 - upgrade WPCode to version 2.3.6 or later, which is the fixed release identified by the plugin-repository changeset diffing tag 2.3.5 against 2.3.6 (https://plugins.trac.wordpress.org/changeset?old_path=%2Finsert-headers-and-footers/tags/2.3.5&new_path=%2Finsert-headers-and-footers/tags/2.3.6) and the targeted post-type.php fix in changeset 3549060 (https://plugins.trac.wordpress.org/changeset/3549060/insert-headers-and-footers/trunk/includes/post-type.php), which adds capability restrictions to the wpcode post type. If immediate patching is not possible, reduce exposure by disabling XML-RPC (block or filter the wp.newPost method, e.g. via the xmlrpc_methods filter or a WAF rule) - note this can break legitimate clients such as the WordPress mobile app, Jetpack, and remote-publishing tools. As a stronger short-term control, restrict author-and-above accounts to fully trusted users and audit existing author/editor accounts for unexpected wpcode posts; you can also temporarily deactivate the plugin if no snippets are in active use, at the cost of losing any code injected through it. Review the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/75a2e8b1-d5e0-4f7b-a70a-f0aadf58c778?source=cve) for detection guidance.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-8832 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy