Post Snippets
Moderate fix1 remedy
cpe:2.3:a:postsnippets:post_snippets:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 4.0.19
Post Snippets WordPress Plugin Stored Cross-Site Scripting Vulnerability
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in the Post Snippets plugin for WordPress, affecting all versions through 4.0.19. The issue arises from inadequate output escaping of imported snippet content when it is rendered as JavaScript variables in the post editor. The vulnerability allows authenticated attackers with Administrator-level access to inject arbitrary scripts that execute when an administrator accesses the post editor.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the post editor.
Reproduction
To reproduce this vulnerability, an authenticated user with Administrator privileges can import a snippet containing unescaped double quotes into the Post Snippets plugin. The imported snippet will bypass WordPress's quote-escaping mechanism, allowing the double quotes to break out of the JavaScript string context. When the snippet is rendered in the post editor, the injected script will execute.
Remediation
Users are advised to update the Post Snippets plugin to version 4.1.1 or later.
Added: May 29, 2026, 4:25 AM
Updated: May 29, 2026, 4:25 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
5.4exploitability
5.3remediation
7.7relevance
9.7threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.