CVE-2026-7430
Deferred Deferred - Pending Action
Stored XSS in Post Snippets WordPress Plugin

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Wordfence

Description
The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet content when rendering JavaScript variables in the post editor. Specifically, the `jqueryUiDialog()` method in `WPEditor.php` embeds snippet content directly into JavaScript string literals without escaping double quotes (the quote-escaping code on line 214 is commented out). When snippets are imported via the Import/Export feature, the content bypasses WordPress's `wp_magic_quotes()` (which would otherwise add protective backslashes), allowing double quotes in snippet content to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via a malicious import file that execute whenever any administrator accesses a post editor page. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-05-29
AI Q&A
2026-05-29
EPSS Evaluated
N/A
NVD
CVE-2026-7430
EUVD
EUVD-2026-33246
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_snippets post_snippets to 4.0.19 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

The Post Snippets plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to 4.0.19. This occurs because the plugin does not properly escape snippet content when embedding it into JavaScript variables in the post editor. Specifically, the method jqueryUiDialog() in the WPEditor.php file inserts snippet content directly into JavaScript string literals without escaping double quotes, allowing malicious scripts to be injected.

When snippets are imported using the Import/Export feature, the content bypasses WordPress's protective mechanism (wp_magic_quotes), enabling attackers with Administrator-level access to inject arbitrary scripts via a malicious import file. These scripts execute whenever an administrator accesses the post editor page.

This vulnerability does not affect single-site installations because administrators there already have the unfiltered_html capability, which mitigates this issue.


How can this vulnerability impact me? :

This vulnerability allows authenticated attackers with Administrator-level access to inject and execute arbitrary JavaScript code in the post editor page. This can lead to unauthorized actions such as stealing sensitive information, performing actions on behalf of administrators, or compromising the integrity of the WordPress site.

Because the malicious script executes in the context of the administrator's browser, it can bypass normal security controls and potentially lead to further compromise of the website or its data.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart