PatchSiren cyber security CVE debrief
CVE-2026-8832 smub CVE debrief
CVE-2026-8832 is a high-severity remote code execution vulnerability in the WPCode WordPress plugin (versions up to and including 2.3.5), published 2026-05-27. The root cause is a missing capability_type parameter when registering the 'wpcode' custom post type, causing WordPress to fall back to standard post capabilities. This allows author-level users to create and publish executable PHP snippets via XML-RPC wp.newPost calls. These snippets are then executed server-side via eval() when rendered through the [wpcode] shortcode. The vulnerability was assigned CVSS 8.8 (High) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. A fix was committed to the plugin repository, with changes visible in the version 2.3.6 tag comparison.
- Vendor
- smub
- Product
- WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators using WPCode plugin; security teams managing WordPress installations; hosting providers with WordPress customers; incident responders investigating potential PHP backdoors in WordPress environments
Technical summary
The WPCode plugin registers a custom post type 'wpcode' without specifying capability_type, causing WordPress to inherit standard 'post' capabilities. This allows any user with 'publish_posts' capability (Author role and above) to create wpcode entries via XML-RPC wp.newPost. When these entries contain PHP code and are rendered via the [wpcode] shortcode, the run_eval() function executes the code via eval(). The fix adds proper capability restrictions to the post type registration.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade WPCode plugin to version 2.3.6 or later
- Restrict XML-RPC access if not required
- Audit existing wpcode post type entries for unauthorized PHP snippets
- Review user roles to ensure minimum necessary privileges
- Implement Web Application Firewall rules to detect suspicious XML-RPC wp.newPost requests targeting wpcode post type
Evidence notes
Vulnerability description and technical details sourced from NVD record and Wordfence security advisory. Code locations confirmed via WordPress plugin repository browser links showing: post-type.php#L24 (vulnerable capability registration), class-wpcode-snippet-execute-php.php#L25 (PHP execution path), shortcode.php#L26 (shortcode rendering), and class-wpcode-snippet-execute.php#L374/L415 (eval execution). Fix confirmed via changeset 3549060 and version 2.3.6 tag comparison.
Official resources
2026-05-27