Security Alert Summary
The Code Snippets plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to and including 3.9.4. Missing nonce validation on cloud snippet download and update actions can allow an attacker to cause a logged-in administrator to perform those actions without their consent if the administrator is tricked into visiting a crafted page.
CVE Details
- CVE ID:
CVE-2026-1785 - Affected component: Code Snippets plugin for WordPress (cloud snippet download and update actions in the
Cloud_Search_List_Tableclass) - Affected versions: All versions up to, and including, 3.9.4
- Published: February 6, 2026 at 9:15:49 AM
- Last modified: February 6, 2026 at 3:14:47 PM
- CVSS v3.1: Base Score 4.3 (MEDIUM) —
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - Authentication / privileges / interaction:
PR:N(no privileges required),UI:R(user interaction required) - Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- CWE / weakness: CWE-352 (Cross-Site Request Forgery)
Technical Details
The vulnerability is a Cross-Site Request Forgery (CSRF) issue caused by missing nonce validation on the cloud snippet download and update actions implemented in the Cloud_Search_List_Table class. Because the plugin does not validate a nonce for these actions, a crafted request hosted on an attacker-controlled page can trigger the download or update workflow when a logged-in administrator visits that page.
The CVE description specifically identifies the missing nonce checks on the cloud snippet download and update actions as the root cause. Successful exploitation requires tricking an administrator into visiting a malicious page (user interaction), and does not require any prior authentication by the attacker.
How This Could Impact Your Website
In a typical small- or medium-sized WordPress site, multiple people may have accounts with different roles: a site owner, internal staff who assist with content, and external contractors or contributors. Because this issue allows an attacker to force cloud snippet downloads or updates through a CSRF attack, an administrator could unknowingly cause snippets to be changed or replaced.
Practical consequences grounded in the reported integrity impact include unintended changes to site behavior or to code snippets that are executed on the site. While the CVSS data reports no direct confidentiality impact, altered snippets could indirectly create opportunities for further social engineering or targeted attacks against staff or contractors by changing displayed content or introducing deceptive behavior.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially those with administrator or editor-level access.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce the attack surface.
- Monitor site activity and logs for unusual behavior related to plugin updates or unexpected snippet changes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://github.com/codesnippetspro/code-snippets/pull/331/changes
- https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.9.4/php/cloud/class-cloud-search-list-table.php#L105
- https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.9.4/php/cloud/list-table-shared-ops.php#L57
- https://plugins.trac.wordpress.org/browser/code-snippets/trunk/php/cloud/class-cloud-search-list-table.php#L105
- https://plugins.trac.wordpress.org/browser/code-snippets/trunk/php/cloud/list-table-shared-ops.php#L57
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4a5787f3-6a16-491a-aa01-6222f275cf0f?source=cve
