Description
The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page.
Published: 2026-02-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling unauthenticated attackers to coerce logged‑in administrators into downloading or updating cloud snippets without consent
Action: Apply Patch
AI Analysis

Impact

The Code Snippets plugin for WordPress contains a CSRF flaw that arises from missing nonce validation in the Cloud_Search_List_Table class. An attacker can use a crafted request to trigger the download or update of cloud snippets on a target administrator’s account. This allows the attacker to force the installation or replacement of code in the cloud snippet repository, potentially leading to unintended code execution or alteration of site functionality. The flaw does not provide direct code execution or privilege escalation on its own, but it undermines the integrity of the plugin’s managed code base.

Affected Systems

WordPress installations running the Code Snippets plugin, version 3.9.4 or earlier. The affected package is distributed by codesnippetspro and includes the Cloud_Search_List_Table component. Administrators who have the plugin enabled are vulnerable unless the plugin is updated beyond the specified version.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate severity, and the EPSS score is below 1 %, suggesting a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog and no public exploits are known. An attacker would need to craft a malicious URL or page that forces an administrator’s browser to issue a request to the plugin’s cloud snippet endpoint. Because the attacker does not require any administrative credentials, the primary barrier is social engineering—getting the target to click a link or visit a crafted page.

Generated by OpenCVE AI on April 15, 2026 at 18:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Code Snippets plugin to a version newer than 3.9.4 where nonce validation has been added to cloud snippet actions
  • Validate that the installed plugin version number reflects the latest release and that the Cloud_Search_List_Table class includes a nonce check for download and update actions
  • If upgrading is not immediately possible, disable or remove the cloud snippet functionality from the administration interface or block the related endpoints from unauthenticated requests to mitigate the risk

Generated by OpenCVE AI on April 15, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Codesnippets
Codesnippets code Snippets
Wordpress
Wordpress wordpress
Vendors & Products Codesnippets
Codesnippets code Snippets
Wordpress
Wordpress wordpress

Fri, 06 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page.
Title Code Snippets <= 3.9.4 - Cross-Site Request Forgery to Cloud Snippet Download/Update Actions
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Codesnippets Code Snippets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:43.155Z

Reserved: 2026-02-02T21:18:03.515Z

Link: CVE-2026-1785

cve-icon Vulnrichment

Updated: 2026-02-06T17:07:47.859Z

cve-icon NVD

Status : Deferred

Published: 2026-02-06T09:15:49.163

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1785

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:00:12Z

Weaknesses