CVE-2026-7430
Description
The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet content when rendering JavaScript variables in the post editor. Specifically, the jqueryUiDialog() method in WPEditor.php embeds snippet content directly into JavaScript string literals without escaping double quotes (the quote-escaping code on line 214 is commented out). When snippets are imported via the Import/Export feature, the content bypasses WordPress's wp_magic_quotes() (which would otherwise add protective backslashes), allowing double quotes in snippet content to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via a malicious import file that execute whenever any administrator accesses a post editor page. Please note that this does not affect single-site installations as administrators already have the unfiltered_html capability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Post Snippets 4.0.19 and earlier have a stored XSS in the post editor due to unescaped snippet content imported via the Import/Export feature.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the WordPress Post Snippets plugin in all versions up to and including 4.0.19. The flaw resides in the jqueryUiDialog() method of WPEditor.php, where imported snippet content is embedded directly into JavaScript string literals without proper escaping of double quotes; the intended quote-escaping code on line 214 is commented out [1][2]. When snippets are imported via the Import/Export feature, the content bypasses WordPress's wp_magic_quotes() protection, allowing double quotes to break out of the JavaScript string context [description].
Exploitation
An attacker must be an authenticated Administrator-level user (or above). The attacker imports a malicious file containing crafted snippet content that includes double quotes to break out of the JavaScript string. Once imported, the malicious snippet is stored and will execute as a script whenever any administrator accesses a post editor page that triggers the snippet [description]. On multisite installations, affected administrators do not possess the unfiltered_html capability, making the attack viable [description].
Impact
Successful exploitation allows the attacker to inject arbitrary web scripts into the post editor context. This can lead to session hijacking, defacement, or redirection to malicious sites, all within the victim's browser session. The injected script executes under the privileges of the administrator viewing the post editor [description].
Mitigation
The issue is fixed in version 4.1.1 as indicated by the corrected escaping code [3][4]. Users should immediately update the Post Snippets plugin to version 4.1.1 or later. For sites where updating is not immediately possible, administrators should restrict Import/Export functionality to trusted users only. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
- https://plugins.trac.wordpress.org/browser/post-snippets/tags/4.0.19/src/PostSnippets/WPEditor.php#L218
- https://plugins.trac.wordpress.org/browser/post-snippets/trunk/src/PostSnippets/WPEditor.php#L218
- https://plugins.trac.wordpress.org/browser/post-snippets/tags/4.1.1/src/PostSnippets/WPEditor.php#L20
- https://plugins.trac.wordpress.org/browser/post-snippets/tags/4.1.1/src/PostSnippets/WPEditor.php#L221
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=4.0.19+ 1 more
- (no CPE)range: <=4.0.19
- (no CPE)range: <=4.0.19
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output escaping of snippet content when embedding it into JavaScript string literals in the jqueryUiDialog() method."
Attack vector
An authenticated attacker with Administrator-level access imports a malicious snippet file via the Import/Export feature. Because the import bypasses WordPress's `wp_magic_quotes()` (which would otherwise add protective backslashes), double quotes in the snippet content are not escaped. When any administrator subsequently opens the post editor, the `jqueryUiDialog()` method [ref_id=1] embeds the unescaped snippet content directly into a JavaScript string literal, allowing the attacker's injected script to execute in the context of the editor page. This is a Stored Cross-Site Scripting (XSS) vulnerability.
Affected code
The vulnerability resides in the `jqueryUiDialog()` method of `WPEditor.php` (lines 218–260 in version 4.0.19). The method builds inline JavaScript variables by embedding snippet content directly into double-quoted JavaScript string literals. The quote-escaping code (`str_replace( '"', '\"', $snippet )`) on line 214 is commented out, so any double quotes in the snippet content break out of the JavaScript string context. The patched version (4.1.1) introduces a dedicated `encodeSnippetForInlineScript()` method that properly escapes the content before embedding it.
What the fix does
The patch (visible by comparing [ref_id=1] with [ref_id=2] and [ref_id=3]) replaces the raw concatenation of snippet content into JavaScript string literals with a call to a new `encodeSnippetForInlineScript()` method. This method properly escapes the content before embedding it, preventing double quotes from breaking out of the JavaScript string context. The commented-out `str_replace( '"', '\"', $snippet )` line is no longer needed because the new encoding function handles all necessary escaping.
Preconditions
- authAttacker must have Administrator-level access to the WordPress installation.
- inputThe attacker must import a malicious snippet file containing double quotes in the snippet content.
- configThe vulnerability only affects multisite installations; single-site administrators already have the unfiltered_html capability.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- plugins.trac.wordpress.org/browser/post-snippets/tags/4.0.19/src/PostSnippets/DBTable.phpnvd
- plugins.trac.wordpress.org/browser/post-snippets/tags/4.0.19/src/PostSnippets/WPEditor.phpnvd
- plugins.trac.wordpress.org/browser/post-snippets/tags/4.1.1/src/PostSnippets/WPEditor.phpnvd
- plugins.trac.wordpress.org/browser/post-snippets/tags/4.1.1/src/PostSnippets/WPEditor.phpnvd
- plugins.trac.wordpress.org/browser/post-snippets/tags/4.1.1/src/PostSnippets/WPEditor.phpnvd
- plugins.trac.wordpress.org/browser/post-snippets/trunk/src/PostSnippets/DBTable.phpnvd
- plugins.trac.wordpress.org/browser/post-snippets/trunk/src/PostSnippets/WPEditor.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/59dc2448-491c-478f-a784-c727057b126bnvd
News mentions
0No linked articles in our index yet.