A high-severity Cross-Site Scripting (XSS) vulnerability in the WPCode plugin for WordPress has been discovered by Erwan LR (WPScan), bringing attention to the significance of prioritizing website security.

The XSS vulnerability in WPCode Plugin allows malicious actors to inject harmful scripts, such as redirects, advertisements, and other HTML payloads, into a website. When unsuspecting guests visit the site, these malicious scripts are executed, potentially leading to detrimental consequences.


Classified as high severity with a CVSS 3.1 score of 7.1, this XSS vulnerability poses a significant risk to the security and integrity of affected websites.

Affected Versions:

Website owners using versions of the WPCode plugin up to are vulnerable to this critical security flaw. Upgrading to the latest version (at least is essential to eliminate the vulnerability and enhance overall plugin security.


Exploiting this vulnerability empowers malicious actors to inject harmful scripts into a website, potentially leading to the theft of cookies or session tokens, redirection to harmful websites, or the execution of arbitrary commands on the victim’s computer.


To enhance WordPress security and protect websites from this critical vulnerability, website owners are strongly advised to take the following actions:

  1. Update to the Latest Version: Website owners using the WPCode plugin should update to the latest version (at least without delay. This updated version includes the essential patch to address the XSS vulnerability, enhancing WordPress security measures.
  2. Regular Security Audits: Conduct regular security audits of the WordPress website to identify and address potential vulnerabilities proactively.
  3. Stay Informed: Stay informed about the latest security updates and advisories from the WPCode plugin developers. Regularly check for plugin updates and apply them promptly.