Platform
wordpress
Component
code-snippets
Fixed in
3.9.5
CVE-2026-1785 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Code Snippets plugin for WordPress. This flaw allows unauthenticated attackers to potentially force logged-in administrators to perform actions, such as downloading or updating cloud snippets, without their explicit consent. The vulnerability impacts versions 0.0 through 3.9.4 of the plugin, and a fix is available in version 3.9.5.
An attacker exploiting this XSRF vulnerability could craft a malicious web page designed to trick an administrator into unknowingly executing actions within the Code Snippets plugin. Specifically, the attacker could force the administrator to download or update cloud snippets, potentially introducing malicious code or configurations into the WordPress environment. This could lead to unauthorized code execution, data breaches, or compromise of the entire WordPress site. The impact is amplified if the administrator has broad permissions, as the attacker could then leverage the plugin to perform actions with elevated privileges.
CVE-2026-1785 was publicly disclosed on 2026-02-06. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability's impact is considered medium due to the requirement of tricking an administrator into visiting a malicious page. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1785 is to immediately upgrade the Code Snippets plugin to version 3.9.5 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing stricter input validation and output encoding practices within the plugin's code to prevent XSRF attacks. Additionally, enabling a WordPress security plugin with XSRF protection can provide an additional layer of defense. Regularly review WordPress user permissions to ensure administrators only have the necessary access.
Update to version 3.9.5, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1785 is a Cross-Site Request Forgery (XSRF) vulnerability in the Code Snippets WordPress plugin, allowing attackers to trick administrators into unwanted actions.
Yes, if you are using Code Snippets plugin versions 0.0 through 3.9.4, you are affected by this vulnerability.
Upgrade the Code Snippets plugin to version 3.9.5 or later to resolve this XSRF vulnerability.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the official Code Snippets plugin website or WordPress.org plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.