Vulnerability Report

CVE-2026-8832

RCE

Title: WordPress WPCode Plugin Remote Code Execution

RCE

Proof Of Concept

PoC Available for CVE-2026-8832

CWE Category CWE-94

Published Date May 27, 2026

Modified Date May 27, 2026

Exploit Status Available

Score 8.8 CVSS v3.1

Exploit Probability (EPSS)

0.62%

Vulnerability Summary

CVE-2026-8832: The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.

Impacted Vendors

Analysis in Progress...

Reference Links

https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/class-wpcode-snippet-execute.php#L374 https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/class-wpcode-snippet-execute.php#L415 https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/execute/class-wpcode-snippet-execute-php.php#L25 https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/post-type.php#L24 https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/shortcode.php#L26 https://plugins.trac.wordpress.org/changeset/3549060/insert-headers-and-footers/trunk/includes/post-type.php https://plugins.trac.wordpress.org/changeset?old_path=%2Finsert-headers-and-footers/tags/2.3.5&new_path=%2Finsert-headers-and-footers/tags/2.3.6 https://www.wordfence.com/threat-intel/vulnerabilities/id/75a2e8b1-d5e0-4f7b-a70a-f0aadf58c778?source=cve

CVSS v3.1

Source Entity [email protected]

Severity HIGH

8.8

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-8832 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/funixone/EXPLOIT-CVE-2026-8832-

View Code

GitHub https://github.com/funixone/EXPLOIT-CVE-2026-8832

View Code

May 27, 2026 MODIFIED

Vulnerability data updated via NVD.

May 27, 2026 MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Stack

No specific products linked.