Vulnerabilities and security researches forinsert-headers-and-footers insert-headers-and-footers

May 27, 2026

CVE, Research URL: CVE-2026-8832
Home page URL: Security reports for WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Application: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Date: May 27, 2026
Research Description: The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.
Affected versions: max 2.3.6.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2023-0328
Home page URL: Security reports for WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Application: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Date: Mar 06, 2023
Research Description: The WPCode WordPress plugin before 2.0.7 does not have adequate privilege checks in place for several AJAX actions, only checking the nonce. This may lead to allowing any authenticated user who can edit posts to call the endpoints related to WPCode Library authentication (such as update and delete the auth key).
Affected versions: max 2.0.7.
Status: vulnerable

CVE, Research URL: CVE-2023-1624
Home page URL: Security reports for WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Application: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Date: Apr 25, 2023
Research Description: The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders
Affected versions: max 2.0.9.
Status: vulnerable

CVE, Research URL: CVE-2023-3524
Home page URL: Security reports for WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Application: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Date: Aug 07, 2023
Research Description: The WPCode WordPress plugin before 2.0.13.1 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting
Affected versions: max 2.0.13.1.
Status: vulnerable