Wpcode – Insert Headers And Footers + Custom Code Snippets – Wordpress Code Manager

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:smub:wpcode_–_insert_headers_and_footers_+_custom_code_snippets_–_wordpress_code_manager:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorSmub (de95b648-5e6e-5830-888e-6dff235e28e3)
ProductWpcode – Insert Headers And Footers + Custom Code Snippets – Wordpress Code Manager (32c01cdd-ae69-5683-8113-a126309ffa7d)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-8832 vulnerable 2026-06-03 15:29:29.738083 WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost
HIGH (8.8)
The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.
Published: 2026-05-27T06:46:16.247Z
Updated: 2026-05-27T10:30:23.131Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.