{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-8832/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-8832"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin \u003c= 2.3.5"],"_cs_severities":["high"],"_cs_tags":["wordpress","rce","cve-2026-8832","xml-rpc"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin, version 2.3.5 and earlier, contains a remote code execution vulnerability (CVE-2026-8832). This vulnerability stems from the plugin\u0026rsquo;s registration of the \u0026lsquo;wpcode\u0026rsquo; custom post type without properly defining custom capabilities or capability restrictions. Consequently, WordPress\u0026rsquo;s core functionality falls back to standard post capabilities for all creation paths, including those accessible via XML-RPC. This oversight enables authenticated attackers with at least author-level privileges to exploit the wp.newPost method through XML-RPC, crafting and publishing malicious PHP snippet posts. These snippets are then executed server-side using eval() within the run_eval() function when the [wpcode] shortcode is rendered, effectively granting the attacker arbitrary code execution on the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with author-level or higher privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the XML-RPC interface (wp.newPost) to create a new post of the \u0026lsquo;wpcode\u0026rsquo; custom post type.\u003c/li\u003e\n\u003cli\u003eWithin the \u0026lsquo;wpcode\u0026rsquo; post content, the attacker injects malicious PHP code as a snippet designed for execution.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes the \u0026lsquo;wpcode\u0026rsquo; post via XML-RPC.\u003c/li\u003e\n\u003cli\u003eA page or post on the WordPress site is created or modified to include the \u003ccode\u003e[wpcode]\u003c/code\u003e shortcode referencing the malicious \u0026lsquo;wpcode\u0026rsquo; post.\u003c/li\u003e\n\u003cli\u003eWhen a user visits the page or post containing the shortcode, WordPress renders the \u0026lsquo;wpcode\u0026rsquo; snippet.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erun_eval()\u003c/code\u003e function executes the embedded malicious PHP code server-side via \u003ccode\u003eeval()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, potentially leading to full server compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-8832 allows authenticated attackers to execute arbitrary PHP code on the WordPress server. This could lead to complete compromise of the web server, including data theft, website defacement, or further malicious activities such as installing backdoors and malware. This vulnerability poses a significant threat to any WordPress website utilizing the affected WPCode plugin version.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade the WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin to the latest available version (greater than 2.3.5) to patch CVE-2026-8832.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious WPCode XML-RPC Post Creation\u0026rdquo; to detect potential exploitation attempts via XML-RPC.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the xmlrpc.php endpoint that create wpcode posts containing PHP code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T08:21:10Z","date_published":"2026-05-27T08:21:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8832-wpcode-rce/","summary":"The WPCode WordPress plugin before or equal to 2.3.5 is vulnerable to remote code execution due to missing capability restrictions on the 'wpcode' custom post type, allowing authenticated attackers with author-level access to execute arbitrary PHP code via XML-RPC.","title":"CVE-2026-8832 - WPCode WordPress Plugin Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8832-wpcode-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-8832","version":"https://jsonfeed.org/version/1.1"}