Plataforma
wordpress
Componente
code-snippets
Corrigido em
3.9.5
CVE-2026-1785 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Code Snippets plugin for WordPress. This flaw allows unauthenticated attackers to potentially force logged-in administrators to perform actions, such as downloading or updating cloud snippets, without their explicit consent. The vulnerability impacts versions 0.0 through 3.9.4 of the plugin, and a fix is available in version 3.9.5.
An attacker exploiting this XSRF vulnerability could craft a malicious web page designed to trick an administrator into unknowingly executing actions within the Code Snippets plugin. Specifically, the attacker could force the administrator to download or update cloud snippets, potentially introducing malicious code or configurations into the WordPress environment. This could lead to unauthorized code execution, data breaches, or compromise of the entire WordPress site. The impact is amplified if the administrator has broad permissions, as the attacker could then leverage the plugin to perform actions with elevated privileges.
CVE-2026-1785 was publicly disclosed on 2026-02-06. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability's impact is considered medium due to the requirement of tricking an administrator into visiting a malicious page. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Code Snippets plugin, particularly those with administrators who frequently interact with cloud snippets, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are also potentially more vulnerable, as an attacker could exploit the vulnerability on one site to impact others.
• wordpress / composer / npm:
grep -r 'Cloud_Search_List_Table' /var/www/html/wp-content/plugins/code-snippets/• wordpress / composer / npm:
wp plugin list --status=all | grep 'code-snippets'• wordpress / composer / npm:
curl -I <wordpress_site>/wp-content/plugins/code-snippets/ | grep -i 'X-XSRF-TOKEN'disclosure
Status do Exploit
EPSS
0.01% (percentil 1%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-1785 is to immediately upgrade the Code Snippets plugin to version 3.9.5 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing stricter input validation and output encoding practices within the plugin's code to prevent XSRF attacks. Additionally, enabling a WordPress security plugin with XSRF protection can provide an additional layer of defense. Regularly review WordPress user permissions to ensure administrators only have the necessary access.
Atualizar para a versão 3.9.5, ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-1785 is a Cross-Site Request Forgery (XSRF) vulnerability in the Code Snippets WordPress plugin, allowing attackers to trick administrators into unwanted actions.
Yes, if you are using Code Snippets plugin versions 0.0 through 3.9.4, you are affected by this vulnerability.
Upgrade the Code Snippets plugin to version 3.9.5 or later to resolve this XSRF vulnerability.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the official Code Snippets plugin website or WordPress.org plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.