CVE-2026-8832
Remote Code Execution in WPCode WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpcode | insert_headers_and_footers | to 2.3.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WPCode - Insert Headers and Footers + Custom Code Snippets WordPress plugin is vulnerable to Remote Code Execution (RCE) in versions up to and including 2.3.5. This happens because the 'wpcode' custom post type is registered without custom capability restrictions, causing WordPress to use standard post capabilities for all creation methods, including XML-RPC.
As a result, authenticated users with author-level access or higher can create and publish executable PHP snippet posts through the XML-RPC wp.newPost method. These snippets are then executed server-side via the eval() function when rendered through the [wpcode] shortcode.
How can this vulnerability impact me? :
This vulnerability allows attackers with author-level access or higher to execute arbitrary PHP code on the server remotely. This can lead to full compromise of the affected WordPress site, including unauthorized data access, data modification, site defacement, or further attacks on the hosting environment.