CVE-2026-1785
Unknown Unknown - Not Provided
CSRF in WordPress Code Snippets Plugin Allows Admin Snippet Manipulation

Publication date: 2026-02-06

Last updated on: 2026-02-06

Assigner: Wordfence

Description
The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-06
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1785
EUVD
EUVD-2026-5650
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
code_snippets code_snippets to 3.9.4 (inc)
code_snippets code_snippets 3.9.5
code_snippets code_snippets 3.9.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves Cross-Site Request Forgery (CSRF) in the Code Snippets WordPress plugin versions up to 3.9.4, where unauthenticated attackers can trick logged-in administrators into downloading or updating cloud snippets via crafted requests.'}, {'type': 'paragraph', 'content': 'Detection on your network or system would involve monitoring for suspicious HTTP requests targeting the cloud snippet download or update actions, especially those lacking proper nonce validation.'}, {'type': 'paragraph', 'content': "Specifically, you can look for HTTP requests with parameters such as 'action=download' or 'action=update' along with 'snippet' and 'source' parameters sent to the WordPress admin interface URLs related to the Code Snippets plugin."}, {'type': 'paragraph', 'content': 'Since the vulnerability is due to missing nonce validation, legitimate requests should include a valid nonce token in the URL or POST data. Absence of such nonce tokens in these requests may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity could include using web server logs or network monitoring tools to filter requests. For example, using grep on Apache or Nginx logs:'}, {'type': 'list_item', 'content': "grep -i 'action=download' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'action=update' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'snippet=' /var/log/apache2/access.log"}, {'type': 'paragraph', 'content': 'Additionally, you can use tools like Wireshark or network IDS/IPS to detect HTTP requests to the WordPress admin URLs containing these parameters without valid nonce tokens.'}, {'type': 'paragraph', 'content': 'However, no explicit detection commands or signatures are provided in the available resources.'}] [4, 5, 6]

Executive Summary

The Code Snippets plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) affecting all versions up to and including 3.9.4. This vulnerability arises because the plugin's cloud snippet download and update actions in the Cloud_Search_List_Table class do not properly validate nonces, which are security tokens used to verify legitimate requests.

Due to this missing nonce validation, an attacker who can trick a logged-in administrator into visiting a malicious webpage can force that administrator to unknowingly download or update cloud snippets without their consent. This happens because the attacker can craft a request that the administrator's browser executes with their privileges.

Impact Analysis

This vulnerability can impact you by allowing unauthorized actions to be performed on your WordPress site if an administrator is tricked into visiting a malicious page. Specifically, attackers can force administrators to download or update cloud snippets without their knowledge or consent.

While the vulnerability does not directly compromise confidentiality or availability, it can lead to unauthorized changes in the plugin's code snippets, potentially introducing malicious code or unwanted modifications. This could undermine the integrity of your site's functionality or security.

The CVSS score of 4.3 (medium severity) reflects that the attack requires user interaction (an administrator visiting a malicious page) but does not require privileges or complex conditions beyond that.

Mitigation Strategies

To mitigate this vulnerability, immediate steps involve updating the Code Snippets plugin to a version that includes the fix for CVE-2026-1785, which is any version after 3.9.4.

The fix includes strict validation and sanitization of input parameters, enforcing nonce verification for download and update actions to prevent CSRF attacks.

If updating immediately is not possible, consider restricting access to the WordPress admin interface to trusted IP addresses and educating administrators to avoid visiting untrusted or suspicious web pages while logged in.

Additionally, monitor and block suspicious requests attempting to perform snippet downloads or updates without valid nonce tokens.

Implementing Web Application Firewall (WAF) rules to detect and block requests lacking proper nonce tokens for these actions can also help mitigate exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1785. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart