Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.
AnalysisAI
Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run arbitrary PHP on the server. Because the plugin registers its 'wpcode' custom post type without a dedicated capability_type, WordPress falls back to standard post capabilities, so any author can create and publish PHP snippet posts via the XML-RPC wp.newPost method, which are later passed to eval() when rendered through the [wpcode] shortcode. EPSS is modest at 0.44% (63rd percentile) and there is no public exploit identified at time of analysis, but the low privilege bar and full CIA impact make this a high-priority patch for any multi-author site.
Technical ContextAI
The vulnerability lives in WPCode's snippet-execution pipeline for WordPress. The root cause is CWE-94 (Improper Control of Generation of Code, i.e. code injection): wpcode_register_post_type() in includes/post-type.php registers the 'wpcode' custom post type without setting capability_type or a map_meta_cap capability set, so WordPress core applies the generic post/page capabilities (edit_posts, publish_posts) rather than an admin-only set. PHP-type snippets are ultimately handled by run_eval() in class-wpcode-snippet-execute-php.php, which calls PHP's native eval() on the snippet body when the [wpcode] shortcode (includes/shortcode.php) renders the snippet. Combined with the create paths exposed by the XML-RPC API (wp.newPost), this turns a content-authoring capability into direct server-side code execution. There is no CPE string in the supplied data; the EUVD entry identifies the affected component as 'WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager' at versions 0 through 2.3.5.
RemediationAI
Vendor-released patch: 2.3.6 - upgrade WPCode to version 2.3.6 or later, which is the fixed release identified by the plugin-repository changeset diffing tag 2.3.5 against 2.3.6 (https://plugins.trac.wordpress.org/changeset?old_path=%2Finsert-headers-and-footers/tags/2.3.5&new_path=%2Finsert-headers-and-footers/tags/2.3.6) and the targeted post-type.php fix in changeset 3549060 (https://plugins.trac.wordpress.org/changeset/3549060/insert-headers-and-footers/trunk/includes/post-type.php), which adds capability restrictions to the wpcode post type. If immediate patching is not possible, reduce exposure by disabling XML-RPC (block or filter the wp.newPost method, e.g. via the xmlrpc_methods filter or a WAF rule) - note this can break legitimate clients such as the WordPress mobile app, Jetpack, and remote-publishing tools. As a stronger short-term control, restrict author-and-above accounts to fully trusted users and audit existing author/editor accounts for unexpected wpcode posts; you can also temporarily deactivate the plugin if no snippets are in active use, at the cost of losing any code injected through it. Review the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/75a2e8b1-d5e0-4f7b-a70a-f0aadf58c778?source=cve) for detection guidance.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32100
GHSA-54cw-c4v7-gx5m