CVE-2026-8832
Deferred Deferred - Pending Action

Remote Code Execution in WPCode WordPress Plugin

Vulnerability report for CVE-2026-8832, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Wordfence

Description

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-07-06
AI Q&A
2026-05-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpcode insert_headers_and_footers to 2.3.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WPCode - Insert Headers and Footers + Custom Code Snippets WordPress plugin is vulnerable to Remote Code Execution (RCE) in versions up to and including 2.3.5. This happens because the 'wpcode' custom post type is registered without custom capability restrictions, causing WordPress to use standard post capabilities for all creation methods, including XML-RPC.

As a result, authenticated users with author-level access or higher can create and publish executable PHP snippet posts through the XML-RPC wp.newPost method. These snippets are then executed server-side via the eval() function when rendered through the [wpcode] shortcode.

Impact Analysis

This vulnerability allows attackers with author-level access or higher to execute arbitrary PHP code on the server remotely. This can lead to full compromise of the affected WordPress site, including unauthorized data access, data modification, site defacement, or further attacks on the hosting environment.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8832. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart