Platform
wordpress
Component
post-snippits
Fixed in
1.0.1
CVE-2026-2723 identifies a Cross-Site Scripting (XSS) vulnerability within the Post Snippits plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings and inject malicious scripts. The vulnerability affects versions 1.0.0 through 1.0. A fix is expected in a future plugin release.
The primary impact of CVE-2026-2723 is the potential for an attacker to inject malicious scripts into a WordPress site through the Post Snippits plugin. This can occur if an attacker can trick a site administrator into clicking a specially crafted link containing a forged request. Successful exploitation could lead to session hijacking, defacement of the website, or redirection to malicious sites. The blast radius extends to any user who interacts with the compromised website, as they could be exposed to injected scripts. This vulnerability highlights the importance of proper input validation and nonce usage in WordPress plugins.
CVE-2026-2723 was publicly disclosed on 2026-03-21. Currently, there are no known public Proof-of-Concept (PoC) exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the relatively simple nature of CSRF exploitation, it's prudent to assume that a PoC could emerge relatively quickly.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2026-2723 is to avoid clicking on suspicious links from untrusted sources, particularly those related to plugin administration. As a permanent solution, upgrade to the patched version of the Post Snippits plugin when it becomes available. Until a patch is released, consider temporarily disabling the Post Snippits plugin to reduce the attack surface. Implement a Web Application Firewall (WAF) with rules to detect and block Cross-Site Request Forgery (CSRF) attacks targeting the plugin’s settings page. Regularly review WordPress plugin settings for any unauthorized modifications.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2723 is a Cross-Site Scripting (XSS) vulnerability affecting the Post Snippits WordPress plugin, allowing attackers to inject malicious scripts via forged requests.
You are affected if your WordPress site uses the Post Snippits plugin in versions 1.0.0–1.0 and you haven't upgraded to a patched version.
Upgrade to the patched version of the Post Snippits plugin when it becomes available. Until then, disable the plugin or implement a WAF.
As of now, there are no confirmed reports of active exploitation, but a PoC is possible given the vulnerability's nature.
Check the Post Snippits plugin's official website or WordPress plugin repository for updates and advisories related to CVE-2026-2723.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.