CVE-2026-7430
Deferred Deferred - Pending Action
Stored XSS in Post Snippets WordPress Plugin

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Wordfence

Description
The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet content when rendering JavaScript variables in the post editor. Specifically, the `jqueryUiDialog()` method in `WPEditor.php` embeds snippet content directly into JavaScript string literals without escaping double quotes (the quote-escaping code on line 214 is commented out). When snippets are imported via the Import/Export feature, the content bypasses WordPress's `wp_magic_quotes()` (which would otherwise add protective backslashes), allowing double quotes in snippet content to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via a malicious import file that execute whenever any administrator accesses a post editor page. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-7430
EUVD
EUVD-2026-33246
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_snippets post_snippets to 4.0.19 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The Post Snippets plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to 4.0.19. This occurs because the plugin does not properly escape snippet content when embedding it into JavaScript variables in the post editor. Specifically, the method jqueryUiDialog() in the WPEditor.php file inserts snippet content directly into JavaScript string literals without escaping double quotes, allowing malicious scripts to be injected.

When snippets are imported using the Import/Export feature, the content bypasses WordPress's protective mechanism (wp_magic_quotes), enabling attackers with Administrator-level access to inject arbitrary scripts via a malicious import file. These scripts execute whenever an administrator accesses the post editor page.

This vulnerability does not affect single-site installations because administrators there already have the unfiltered_html capability, which mitigates this issue.

Impact Analysis

This vulnerability allows authenticated attackers with Administrator-level access to inject and execute arbitrary JavaScript code in the post editor page. This can lead to unauthorized actions such as stealing sensitive information, performing actions on behalf of administrators, or compromising the integrity of the WordPress site.

Because the malicious script executes in the context of the administrator's browser, it can bypass normal security controls and potentially lead to further compromise of the website or its data.

Mitigation Strategies

To mitigate this vulnerability, ensure that you update the Post Snippets plugin for WordPress to a version later than 4.0.19 where the issue is fixed.

Additionally, restrict import of snippet content to trusted administrators only, as exploitation requires Administrator-level access.

Avoid using the Import/Export feature with untrusted snippet files to prevent injection of malicious scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart