Description
The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.
Published: 2026-05-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WPCode plugin registers a custom post type named ‘wpcode’ without setting a custom capability_type or applying capability restrictions. This allows WordPress to use the default post capabilities for all creation paths, including XML‑RPC wp.newPost. An authenticated user who has author‑level access or higher can therefore create and publish PHP snippet posts via XML‑RPC. When a snippet is rendered through the [wpcode] shortcode, the plugin executes the PHP code server‑side using eval(), giving the attacker full remote code execution on the web server.

Affected Systems

The vulnerability affects the WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager plugin for WordPress versions up to and including 2.3.5. Any site that has this plugin installed, allows author‑level or higher users to create snippets, and has the XML‑RPC endpoint enabled is susceptible. The issue does not affect other plugins or the WordPress core itself.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. An EPSS score is not available, so no current data on exploitation probability exists. The vulnerability is not listed in the CISA KEV catalog. The required foothold is an authenticated author‑level or higher user on a WordPress site with XML‑RPC enabled; if XML‑RPC is not exposed, the vector is mitigated. Given that the attack path is straightforward and only requires privileged user access, the risk is significant for sites that meet the conditions.

Generated by OpenCVE AI on May 27, 2026 at 10:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPCode plugin to version 2.3.6 or later, which adds proper capability checks for snippet creation.
  • If XML‑RPC is not needed for legitimate operations, disable the XML‑RPC endpoint on the WordPress site to eliminate this attack vector.
  • Restrict author‑level users from creating or publishing PHP snippet posts, or apply custom access controls to ensure only trusted roles can do so.

Generated by OpenCVE AI on May 27, 2026 at 10:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.
Title WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:30:23.131Z

Reserved: 2026-05-18T13:53:59.461Z

Link: CVE-2026-8832

cve-icon Vulnrichment

Updated: 2026-05-27T10:30:18.556Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T08:16:45.537

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-8832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:15:30Z

Weaknesses