CVE-2026-7430: Post Snippets WordPress Plugin Stored XSS Vulnerability
The Post Snippets plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions up to 4.0.19. An authenticated administrator can inject malicious code through the plugin's import feature. When that code is imported, it gets embedded unsafely into the post editor's JavaScript, allowing the attacker to execute arbitrary scripts that run whenever any administrator opens a post editor page. This is a privilege-escalation and persistence risk: an attacker with admin access can compromise the experience of other admins and potentially maintain control across sessions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet content when rendering JavaScript variables in the post editor. Specifically, the `jqueryUiDialog()` method in `WPEditor.php` embeds snippet content directly into JavaScript string literals without escaping double quotes (the quote-escaping code on line 214 is commented out). When snippets are imported via the Import/Export feature, the content bypasses WordPress's `wp_magic_quotes()` (which would otherwise add protective backslashes), allowing double quotes in snippet content to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via a malicious import file that execute whenever any administrator accesses a post editor page. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient output escaping in the `jqueryUiDialog()` method within `WPEditor.php`. When snippet content is imported via the Import/Export feature, the plugin embeds it directly into JavaScript string literals without proper escaping of double-quote characters. The relevant quote-escaping code on line 214 is commented out, and imported content bypasses WordPress's `wp_magic_quotes()` sanitization. This allows a double quote in malicious snippet content to break the JavaScript string context and inject arbitrary code. The XSS payload executes with the privilege level of the accessing administrator and persists in the stored snippets, triggering on every editor load.
Business impact
The attack surface is limited to multisite WordPress installations where administrators may not already possess `unfiltered_html` capability. On affected multisite networks, a rogue administrator can inject persistent malicious scripts that execute whenever peer administrators access the post editor, potentially stealing session tokens, modifying post content, or redirecting users to malicious sites. The reputational and operational risk depends on the sensitivity of content managed through the affected installation and the number of administrators who may be compromised.
Affected systems
The Post Snippets plugin in versions up to and including 4.0.19 is vulnerable. WordPress multisite installations are at risk; single-site installations are not affected because administrators on single sites already have unrestricted `unfiltered_html` capability. The vulnerability requires an attacker to have Administrator-level or higher access to the WordPress installation.
Exploitability
Exploitation requires Administrator-level access and involves uploading a malicious import file via the plugin's Import/Export feature. The attack does not require user interaction beyond an administrator's normal workflow of accessing the post editor. The CVSS score of 4.4 reflects the high privilege requirement (PR:H) and high complexity (AC:H), which substantially limits the practical threat; however, insider threats or compromised admin accounts elevate concern. The vulnerability is not currently tracked as actively exploited in the wild.
Remediation
Update the Post Snippets plugin to a patched version released after 2026-06-17 (verify against the vendor advisory for the exact version number). For multisite installations unable to patch immediately, consider disabling the Import/Export feature or restricting administrator role assignment to trusted users only. Review recent snippet imports in your installation logs to detect any suspicious activity or injected code.
Patch guidance
Check the official Post Snippets plugin repository for an update addressing this XSS vulnerability. The patch should re-enable or properly implement quote escaping in the `jqueryUiDialog()` method. Apply the update to all affected multisite installations. Single-site installations do not require action from a security perspective, though patching is recommended for defense-in-depth and to prevent future issues.
Detection guidance
Monitor WordPress multisite installations for unexpected changes to snippet content, particularly around special characters (quotes, backslashes, or JavaScript syntax) in imported snippets. Check editor activity logs to identify which administrators accessed posts after suspicious imports. Use a Web Application Firewall (WAF) configured to detect JavaScript injection patterns in POST requests to `/wp-admin/post.php` or similar editor endpoints. Inspect the Post Snippets database tables for snippets containing obfuscated or encoded JavaScript.
Why prioritize this
Although the CVSS score is moderate (4.4), this vulnerability poses a direct persistence and lateral-privilege-threat risk in multisite environments. The ability for an attacker with admin access to inject code that affects peer administrators makes this relevant for insider-threat programs and compromise-assessment scenarios. Multisite WordPress operators managing sensitive content or multiple administrative users should prioritize patching.
Risk score, explained
The CVSS 3.1 score of 4.4 (MEDIUM) reflects the high privilege barrier (PR:H—Administrator access required), high attack complexity (AC:H), and limited scope (only multisite WordPress installations are affected). Confidentiality and Integrity are impacted (C:L, I:L), but Availability is not (A:N). The score does not account for the insider-threat context or persistence implications; organizations with strict role-based access controls and low admin-turnover may score this lower, while those with many administrators or third-party admin accounts may justify higher internal risk ratings.
Frequently asked questions
Does this affect my single-site WordPress installation?
No. Single-site WordPress administrators already have the `unfiltered_html` capability by default, which means they can post unrestricted HTML and JavaScript anyway. The vulnerability is specific to multisite installations where the plugin's improper escaping exposes a gap that would otherwise be closed by WordPress's permission model.
What is the attack scenario?
A threat actor with Administrator-level access (either a rogue insider or someone who compromised an admin account) creates a malicious snippet, exports it, and then imports it back through the Import/Export feature. The malicious content breaks out of a JavaScript string literal and executes in the post editor whenever any other administrator opens the editor to create or edit posts.
How do I know if my installation has been compromised by this vulnerability?
Review your Post Snippets import history and examine imported snippets for unusual characters (escaped quotes, backslashes, or inline JavaScript code). Check administrator access logs for unusual post-editor activity. If you suspect compromise, use a security scanner to inspect snippet content and look for stored JavaScript payloads in the database.
Can I work around this vulnerability without updating?
You can reduce risk by disabling or uninstalling the Import/Export feature if your workflow permits, restricting the Administrator role to only trusted personnel, and implementing strict file-upload controls. However, patching is the recommended solution. Verify the patched version against the vendor advisory before deployment.
This analysis is based on publicly disclosed vulnerability information current as of the modification date (2026-06-17). Patch version numbers and exact remediation steps should be verified against the official Post Snippets plugin repository and WordPress.org advisory. This vulnerability requires Administrator access and does not affect single-site WordPress installations. Organizations should conduct their own testing and impact assessment before deploying patches in production environments. SEC.co provides this information for educational and defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1