CVE-2026-8832 - WPCode WordPress Plugin Remote Code Execution Vulnerability

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin, version 2.3.5 and earlier, contains a remote code execution vulnerability (CVE-2026-8832). This vulnerability stems from the plugin’s registration of the ‘wpcode’ custom post type without properly defining custom capabilities or capability restrictions. Consequently, WordPress’s core functionality falls back to standard post capabilities for all creation paths, including those accessible via XML-RPC. This oversight enables authenticated attackers with at least author-level privileges to exploit the wp.newPost method through XML-RPC, crafting and publishing malicious PHP snippet posts. These snippets are then executed server-side using eval() within the run_eval() function when the [wpcode] shortcode is rendered, effectively granting the attacker arbitrary code execution on the server.

Attack Chain

1. An attacker authenticates to the WordPress site with author-level or higher privileges.
2. The attacker leverages the XML-RPC interface (wp.newPost) to create a new post of the ‘wpcode’ custom post type.
3. Within the ‘wpcode’ post content, the attacker injects malicious PHP code as a snippet designed for execution.
4. The attacker publishes the ‘wpcode’ post via XML-RPC.
5. A page or post on the WordPress site is created or modified to include the [wpcode] shortcode referencing the malicious ‘wpcode’ post.
6. When a user visits the page or post containing the shortcode, WordPress renders the ‘wpcode’ snippet.
7. The run_eval() function executes the embedded malicious PHP code server-side via eval().
8. The attacker achieves remote code execution, potentially leading to full server compromise.

Impact

Successful exploitation of CVE-2026-8832 allows authenticated attackers to execute arbitrary PHP code on the WordPress server. This could lead to complete compromise of the web server, including data theft, website defacement, or further malicious activities such as installing backdoors and malware. This vulnerability poses a significant threat to any WordPress website utilizing the affected WPCode plugin version.

Recommendation

• Immediately upgrade the WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin to the latest available version (greater than 2.3.5) to patch CVE-2026-8832.
• Deploy the Sigma rule “Detect Suspicious WPCode XML-RPC Post Creation” to detect potential exploitation attempts via XML-RPC.
• Monitor web server logs for suspicious POST requests to the xmlrpc.php endpoint that create wpcode posts containing PHP code.