CVE-2026-8832

Vulnerability

The WPCode plugin for WordPress, versions up to and including 2.3.5, is vulnerable to Remote Code Execution. The wpcode custom post type is registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function [4]. This causes WordPress to fall back to standard post capabilities, allowing users with author-level access and above to create and publish PHP snippet posts via XML-RPC using wp.newPost [1][2]. The snippet content is later executed server-side via eval() in the run_eval() function when the [wpcode] shortcode is rendered [1][2].

Exploitation

An attacker must have an authenticated WordPress account with author-level privileges or higher. The attacker sends an XML-RPC request using the wp.newPost method to create a new wpcode post with a PHP code snippet, setting the post status to 'publish' and the code type to 'php'. Once published, the snippet is executed when the [wpcode] shortcode is processed on any page, calling eval() on the snippet code [1][2]. No additional user interaction is required beyond the initial authentication.

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary PHP code on the server, leading to full compromise of the WordPress site. The attacker can read, modify, or delete any data, install malicious plugins, or perform further attacks against the server [1][2][4].

Mitigation

The vulnerability is fixed in WPCode version 2.3.6, which introduces custom capabilities (wpcode_edit_snippets, wpcode_activate_snippets) and blocks XML-RPC write access to the wpcode post type [3]. Users should update to version 2.3.6 or later immediately. No workaround is available for earlier versions.