CVE-2026-8832

HIGH

WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-8832. PoCs published by funixone.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-8832, targeting a capability bypass in the WPCode Lite WordPress plugin (v2.3.5) that allows authenticated users with Author+ privileges to achieve RCE via XML-RPC. The exploit automates fingerprinting, authentication, and payload execution.

Description

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.

Exploits (2)

github WORKING POC
by funixone · pythonpoc
https://github.com/funixone/EXPLOIT-CVE-2026-8832

This repository contains a functional exploit for CVE-2026-8832, targeting a capability bypass in the WPCode Lite WordPress plugin (v2.3.5) that allows authenticated users with Author+ privileges to achieve RCE via XML-RPC. The exploit automates fingerprinting, authentication, and payload execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPCode Lite (Insert Headers and Footers) v2.3.5
Auth required
Prerequisites: WordPress site with WPCode Lite plugin v2.3.5 or lower · Author+ user credentials · XML-RPC enabled
devstral-2 · analyzed May 29, 2026 Full analysis →
github WORKING POC
by funixone · poc
https://github.com/funixone/EXPLOIT-CVE-2026-8832-

This repository contains a functional exploit for CVE-2026-8832, targeting a Remote Code Execution (RCE) vulnerability in the WordPress plugin WPCode Lite (Insert Headers and Footers) v2.3.5. The exploit leverages an improperly registered Custom Post Type (CPT) to allow users with Author privileges to execute arbitrary PHP code via XML-RPC.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPCode Lite (Insert Headers and Footers) v2.3.5
Auth required
Prerequisites: WordPress site with WPCode Lite v2.3.5 installed · User account with Author privileges or higher · XML-RPC enabled
devstral-2 · analyzed May 29, 2026 Full analysis →

References (8)

Core 8
Core References

Scores

CVSS v3 8.8
EPSS 0.0049
EPSS Percentile 66.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
smub/WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager < 2.3.5
Published May 27, 2026
Tracked Since May 27, 2026