CVE-2026-8832 HIGH

CVE-2026-8832: WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost

Vendor Smub
Product WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Weakness CWE-94 · Code injection
Published May 27, 2026
Last update May 27, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.

Explanation of Vulnerability in Simple Terms

02Summary

WPCode versions up to 2.3.5 contain a code injection vulnerability that allows authenticated users with low privileges to execute arbitrary PHP code on the site. An attacker with a standard user account can inject and run malicious code through the plugin's code snippet functionality, gaining full control over the WordPress installation. This affects confidentiality, integrity, and availability of the site.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site with full access to the WordPress database and files.

Potential impact on your site

04Site Impact

Any low-privilege user account can compromise the entire WordPress site, steal data, modify content, or install backdoors.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress user account (e.g., Contributor or Author role).

Key dates

06Disclosure timeline

May 27, 2026 CVE published
May 27, 2026 Record updated