What the vulnerability does
01Description
The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.
Explanation of Vulnerability in Simple Terms
02Summary
WPCode versions up to 2.3.5 contain a code injection vulnerability that allows authenticated users with low privileges to execute arbitrary PHP code on the site. An attacker with a standard user account can inject and run malicious code through the plugin's code snippet functionality, gaining full control over the WordPress installation. This affects confidentiality, integrity, and availability of the site.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site with full access to the WordPress database and files.
Potential impact on your site
04Site Impact
Any low-privilege user account can compromise the entire WordPress site, steal data, modify content, or install backdoors.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., Contributor or Author role).
Key dates
06Disclosure timeline
May 27, 2026
CVE published
May 27, 2026
Record updated