The vulnerability in the WordPress Post Snippets plugin allows a contributor to execute arbitrary PHP code on the server running WordPress because the plugin fails to properly validate or sanitize code submitted through the snippet editor. This flaw is identified as CWE-94 and can result in full compromise of the web application and underlying operating system if an attacker can place malicious snippets. The impact is therefore a high‑severity remote code execution capable of performing any action the web server is allowed to do.

The affected product is the Post Snippets plugin for WordPress, version 4.0.19 and earlier. Sites that have installed or are using these legacy versions are vulnerable regardless of user role, as the plugin accepts code submission from any authenticated contributor. The nominal vendor is Post Snippets and the product is named Post Snippets.

The CVSS score is 8.5, indicating a high severity and large exploitation scope. No EPSS data is available, so an estimate of exploitation probability cannot be stated. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the plugin’s snippet submission interface; since the code is executed during normal WordPress operation, an attacker with contributor permissions can inject malicious code that will run as part of the site’s PHP runtime. If the attacker can obtain authenticated contributor access, the exploit can be carried out without additional preconditions. The lack of defensive checks makes it straightforward for a determined attacker to achieve remote code execution.