CVE-2026-1785 in Code Snippets Plugin
Summary
by MITRE • 02/06/2026
The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/06/2026
The Code Snippets plugin for WordPress represents a widely used tool for managing code snippets within WordPress environments, with version 3.9.4 being the last vulnerable iteration before the security patch was implemented. This particular vulnerability manifests as a cross-site request forgery flaw that affects all versions up to and including the identified release, creating a significant risk for WordPress administrators who rely on this plugin for their site management tasks. The vulnerability specifically resides within the Cloud_Search_List_Table class where critical actions related to cloud snippet operations lack proper nonce validation mechanisms.
The technical implementation of this vulnerability stems from the absence of cryptographic nonce validation during cloud snippet download and update operations within the plugin's backend functionality. When administrators perform these actions while authenticated, the plugin should verify that requests originate from legitimate sources through nonce tokens that are unique to each session and time-bound. However, the Cloud_Search_List_Table class fails to implement this essential security control, allowing malicious actors to construct crafted HTTP requests that appear to come from legitimate administrative sessions. This flaw directly violates the fundamental principle of web application security that requires all state-changing operations to be protected against unauthorized execution.
The operational impact of this vulnerability extends beyond simple privilege escalation as it enables attackers to perform unauthorized administrative actions against WordPress sites that utilize the affected plugin. An attacker can construct malicious web pages or embed code within existing sites that automatically trigger cloud snippet download or update operations when administrators visit these pages. Since the actions execute with the privileges of the currently logged-in administrator, this could potentially lead to unauthorized code execution, data manipulation, or even complete site compromise depending on the nature of the cloud snippets being modified. The attack vector requires social engineering to trick administrators into visiting malicious pages, but once successful, the impact can be severe as it operates within the context of legitimate administrative sessions.
This vulnerability maps directly to CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications, and aligns with ATT&CK technique T1059.007 for executing commands through web shells or malicious code injection. The lack of nonce validation creates a persistent security gap that allows attackers to perform unauthorized operations without requiring authentication credentials or exploiting other vulnerabilities. Organizations using WordPress with the Code Snippets plugin should immediately update to the patched version to mitigate this risk, as the vulnerability affects all versions prior to the security fix. The remediation process involves implementing proper nonce validation mechanisms in all administrative actions, ensuring that each request is verified against a time-sensitive token that prevents unauthorized execution of administrative functions. This incident underscores the critical importance of validating all user inputs and state-changing operations in web applications, particularly those that operate with elevated privileges within content management systems.