CVE-2026-8832
Deferred Deferred - Pending Action
Remote Code Execution in WPCode WordPress Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Wordfence

Description
The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-8832
EUVD
EUVD-2026-32100
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpcode insert_headers_and_footers to 2.3.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WPCode - Insert Headers and Footers + Custom Code Snippets WordPress plugin is vulnerable to Remote Code Execution (RCE) in versions up to and including 2.3.5. This happens because the 'wpcode' custom post type is registered without custom capability restrictions, causing WordPress to use standard post capabilities for all creation methods, including XML-RPC.

As a result, authenticated users with author-level access or higher can create and publish executable PHP snippet posts through the XML-RPC wp.newPost method. These snippets are then executed server-side via the eval() function when rendered through the [wpcode] shortcode.

Impact Analysis

This vulnerability allows attackers with author-level access or higher to execute arbitrary PHP code on the server remotely. This can lead to full compromise of the affected WordPress site, including unauthorized data access, data modification, site defacement, or further attacks on the hosting environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8832. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart