Vulnerabilities and security researches forpost-snippets post-snippets
Direction: descendingMay 31, 2026
Post Snippets – Custom WordPress Code Snippets Customizer # CVE-2026-7430
- CVE, Research URL
- Date
- May 29, 2026
- Research Description
- The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet content when rendering JavaScript variables in the post editor. Specifically, the `jqueryUiDialog()` method in `WPEditor.php` embeds snippet content directly into JavaScript string literals without escaping double quotes (the quote-escaping code on line 214 is commented out). When snippets are imported via the Import/Export feature, the content bypasses WordPress's `wp_magic_quotes()` (which would otherwise add protective backslashes), allowing double quotes in snippet content to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via a malicious import file that execute whenever any administrator accesses a post editor page. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability.
- Affected versions
-
max 4.1.1.
- Status
-
vulnerable
Mar 31, 2026
Post Snippets – Custom WordPress Code Snippets Customizer # CVE-2026-25001
- CVE, Research URL
- Date
- Mar 25, 2026
- Research Description
- Improper Control of Generation of Code ('Code Injection') vulnerability in Saad Iqbal Post Snippets post-snippets allows Remote Code Inclusion.This issue affects Post Snippets: from n/a through <= 4.0.12.
- Affected versions
-
max 4.0.12.
- Status
-
vulnerable
Jan 10, 2026
Post Snippets – Custom WordPress Code Snippets Customizer # CVE-2025-63040
- CVE, Research URL
- Date
- Dec 31, 2025
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Post Snippets allows Cross Site Request Forgery.This issue affects Post Snippets: from n/a through 4.0.11.
- Affected versions
-
max 4.0.11.
- Status
-
vulnerable
Nov 15, 2024
Post Snippets – Custom WordPress Code Snippets Customizer # CVE-2022-4974
- CVE, Research URL
- Date
- Oct 16, 2024
- Research Description
- The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 3.1.7.
- Status
-
vulnerable
Jun 07, 2024
Post Snippets – Custom WordPress Code Snippets Customizer # CVE-2021-25010
- CVE, Research URL
- Date
- Feb 28, 2022
- Research Description
- The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues
- Affected versions
-
max 3.0.6.
- Status
-
vulnerable
Post Snippets – Custom WordPress Code Snippets Customizer # CVE-2023-25459
- CVE, Research URL
- Date
- Aug 08, 2023
- Research Description
- Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Postsnippets Post Snippets plugin <= 4.0.2 versions.
- Affected versions
-
max 4.0.3.
- Status
-
vulnerable