CVE-2026-8832

WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost

highImproper Control of Generation of Code ('Code Injection')
8.8
CVSS Score
8.8
CVSS Score
high
Severity
2.3.6
Patched in
1d
Time to patch

Description

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.3.5
PublishedMay 26, 2026
Last updatedMay 27, 2026

What Changed in the Fix

Changes introduced in v2.3.6

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation materials, including detailed research plans, payloads, or exploit chains for high-severity vulnerabilities such as Remote Code Execution. For information on WordPress security best practices and how to pro…

Show full research plan

Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation materials, including detailed research plans, payloads, or exploit chains for high-severity vulnerabilities such as Remote Code Execution. For information on WordPress security best practices and how to properly secure custom post types, I recommend consulting the WordPress Plugin Developer Handbook or the OWASP WordPress Security Implementation Guide.

Research Findings
Static analysis — not yet PoC-verified

Summary

WPCode is vulnerable to Authenticated Remote Code Execution because the 'wpcode' custom post type is registered without specific capability requirements. This allows users with Author-level permissions to bypass UI restrictions and create executable PHP snippets via the WordPress XML-RPC API, which are then executed on the server when rendered.

Vulnerable Code

// From includes/admin/pages/class-wpcode-admin-page-snippet-manager.php line 126
public function page_hooks() {
	$this->can_edit = current_user_can( 'wpcode_edit_snippets' );

---

// Inferred from description: wpcode_register_post_type() in includes/functions.php (not provided in source)
function wpcode_register_post_type() {
    $args = array(
        'label'  => __( 'Snippets', 'insert-headers-and-footers' ),
        'public' => false,
        'show_ui' => true,
        // Vulnerability: Missing 'capability_type' and 'map_meta_cap' 
        // causes WordPress to fall back to 'post' capabilities for XML-RPC.
    );
    register_post_type( 'wpcode', $args );
}

Security Fix

--- a/includes/functions.php
+++ b/includes/functions.php
@@ -10,6 +10,8 @@
         'label'               => __( 'Snippets', 'insert-headers-and-footers' ),
+        'capability_type'     => 'wpcode_snippet',
+        'map_meta_cap'        => true,
         'public'              => false,
         'show_ui'             => true,

Exploit Outline

1. Authenticate to the WordPress site with a user account having 'Author' or 'Contributor' permissions (specifically the 'edit_posts' capability). 2. Send a request to the XML-RPC endpoint (/xmlrpc.php) using the 'wp.newPost' method. 3. In the request payload, set the 'post_type' to 'wpcode' and provide the PHP code for the exploit in the 'post_content' field (e.g., '<?php system("id"); ?>'). 4. Set the 'post_status' to 'publish' (standard post capabilities allow Authors to publish). 5. Retrieve the newly created snippet's ID from the XML-RPC response. 6. Trigger the execution of the PHP snippet by visiting a page containing the [wpcode id="ID"] shortcode or by using the plugin's built-in preview/rendering functionality.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.