CVE-2026-1785
CSRF in WordPress Code Snippets Plugin Allows Admin Snippet Manipulation
Publication date: 2026-02-06
Last updated on: 2026-02-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code_snippets | code_snippets | to 3.9.4 (inc) |
| code_snippets | code_snippets | 3.9.5 |
| code_snippets | code_snippets | 3.9.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves Cross-Site Request Forgery (CSRF) in the Code Snippets WordPress plugin versions up to 3.9.4, where unauthenticated attackers can trick logged-in administrators into downloading or updating cloud snippets via crafted requests.'}, {'type': 'paragraph', 'content': 'Detection on your network or system would involve monitoring for suspicious HTTP requests targeting the cloud snippet download or update actions, especially those lacking proper nonce validation.'}, {'type': 'paragraph', 'content': "Specifically, you can look for HTTP requests with parameters such as 'action=download' or 'action=update' along with 'snippet' and 'source' parameters sent to the WordPress admin interface URLs related to the Code Snippets plugin."}, {'type': 'paragraph', 'content': 'Since the vulnerability is due to missing nonce validation, legitimate requests should include a valid nonce token in the URL or POST data. Absence of such nonce tokens in these requests may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity could include using web server logs or network monitoring tools to filter requests. For example, using grep on Apache or Nginx logs:'}, {'type': 'list_item', 'content': "grep -i 'action=download' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'action=update' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'snippet=' /var/log/apache2/access.log"}, {'type': 'paragraph', 'content': 'Additionally, you can use tools like Wireshark or network IDS/IPS to detect HTTP requests to the WordPress admin URLs containing these parameters without valid nonce tokens.'}, {'type': 'paragraph', 'content': 'However, no explicit detection commands or signatures are provided in the available resources.'}] [4, 5, 6]
Can you explain this vulnerability to me?
The Code Snippets plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) affecting all versions up to and including 3.9.4. This vulnerability arises because the plugin's cloud snippet download and update actions in the Cloud_Search_List_Table class do not properly validate nonces, which are security tokens used to verify legitimate requests.
Due to this missing nonce validation, an attacker who can trick a logged-in administrator into visiting a malicious webpage can force that administrator to unknowingly download or update cloud snippets without their consent. This happens because the attacker can craft a request that the administrator's browser executes with their privileges.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized actions to be performed on your WordPress site if an administrator is tricked into visiting a malicious page. Specifically, attackers can force administrators to download or update cloud snippets without their knowledge or consent.
While the vulnerability does not directly compromise confidentiality or availability, it can lead to unauthorized changes in the plugin's code snippets, potentially introducing malicious code or unwanted modifications. This could undermine the integrity of your site's functionality or security.
The CVSS score of 4.3 (medium severity) reflects that the attack requires user interaction (an administrator visiting a malicious page) but does not require privileges or complex conditions beyond that.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediate steps involve updating the Code Snippets plugin to a version that includes the fix for CVE-2026-1785, which is any version after 3.9.4.
The fix includes strict validation and sanitization of input parameters, enforcing nonce verification for download and update actions to prevent CSRF attacks.
If updating immediately is not possible, consider restricting access to the WordPress admin interface to trusted IP addresses and educating administrators to avoid visiting untrusted or suspicious web pages while logged in.
Additionally, monitor and block suspicious requests attempting to perform snippet downloads or updates without valid nonce tokens.
Implementing Web Application Firewall (WAF) rules to detect and block requests lacking proper nonce tokens for these actions can also help mitigate exploitation.