We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager (CVE-2026-8832)

Nick Paliughi
On this page

Security Alert Summary

The WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager plugin contains a vulnerability that can allow authenticated users with author-level access or higher to create and publish executable PHP snippets via XML-RPC, which are then executed server-side when rendered. This can lead to remote code execution on sites using affected versions.

CVE Details

  • CVE ID: CVE-2026-8832
  • Affected component: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager plugin for WordPress
  • Affected versions: versions up to, and including, 2.3.5
  • Published: May 27, 2026 at 08:16:45 AM UTC
  • Last modified: May 27, 2026 at 02:50:47 PM UTC
  • CVSS v3.1 base score: 8.8
  • CVSS v3.1 severity: HIGH
  • CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Authentication / privileges / user interaction: Authentication required; privileges required: LOW (author-level and above); user interaction: NONE
  • Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH
  • Weakness (CWE): CWE-94 (Improper Control of Generation of Code)

Technical Details

The plugin registers a custom post type wpcode in the wpcode_register_post_type() function without specifying a custom capability_type or capability restrictions. Because of this omission, WordPress core falls back to standard post capabilities for creation and publishing paths, including XML-RPC endpoints.

An authenticated attacker with author-level privileges or higher can use the XML-RPC wp.newPost method to create and publish posts of the wpcode type that contain executable PHP snippets. When those snippet posts are rendered via the [wpcode] shortcode, the plugin calls its run_eval() execution path which evaluates the snippet via eval(). This results in server-side execution of attacker-supplied PHP code.

The issue exists because capability checks were not restricted for the custom post type and because the execution path relies on runtime evaluation of stored snippet content. The impact is remote code execution limited to authenticated users who have sufficient publishing privileges.

How This Could Impact Your Website

On a multi-user WordPress site, an external contractor or contributor who has been granted author-level access could publish a PHP snippet that executes on the site. That code could read or modify site data, manipulate content, or perform actions that affect site availability, depending on what the snippet does and the permissions of the web server process.

For example, an internal staff member might unknowingly approve a snippet created via XML-RPC by an attacker, or an outsourced content editor with author privileges could be used as the initial access point. Because confidentiality impact is rated HIGH, sensitive data such as site configuration or stored information could be exposed, increasing the risk of targeted phishing or social engineering against staff or subscribers.

If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and privileges, especially for contributors and authors.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Disable or remove unused or unmaintained plugins and themes.
  • Monitor site activity and logs for unusual behavior, new posts published via XML-RPC, or unexpected changes to snippet content.

If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Query Shortcode Plugin Vulnerability (CVE-2026-9200)
Next Post
MinhNhut Link Gateway Plugin Vulnerability (CVE-2026-3349)