CVE-2026-7430 MEDIUM

CVE-2026-7430: Post Snippets <= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import

Vendor Saadiqbal
Product Post Snippets – Custom WordPress Code Snippets Customizer
Weakness CWE-79 · XSS
Published May 29, 2026
Last update May 29, 2026
View on NVD All CVEs

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet content when rendering JavaScript variables in the post editor. Specifically, the `jqueryUiDialog()` method in `WPEditor.php` embeds snippet content directly into JavaScript string literals without escaping double quotes (the quote-escaping code on line 214 is commented out). When snippets are imported via the Import/Export feature, the content bypasses WordPress's `wp_magic_quotes()` (which would otherwise add protective backslashes), allowing double quotes in snippet content to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via a malicious import file that execute whenever any administrator accesses a post editor page. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability.

Explanation of Vulnerability in Simple Terms

02Summary

The Post Snippets plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in versions up to 4.0.19. An authenticated administrator with high privileges can inject malicious JavaScript that executes in the browsers of other site users. The vulnerability requires high attack complexity and affects the integrity and confidentiality of user sessions.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that runs in other users' browsers when they view affected pages.

Potential impact on your site

04Site Impact

Administrators can be tricked into running malicious code that compromises site security or steals user data.

Conditions required to exploit

05Prerequisites

Attacker must be an authenticated WordPress administrator or user with high-level plugin configuration privileges.

Key dates

06Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2025-32533 WordPress Deliver via Shipos for WooCommerce Plugin <= 2.1.7 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-4724 Campcodes Legal Case Management System case-type cross site scripting CVE-2024-34796 WordPress PopupAlly plugin <= 2.1.1 - Cross Site Scripting (XSS) vulnerability CVE-2025-68525 WordPress Category Icon plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability CVE-2021-38353 Dropdown and scrollable Text <= 2.0 Reflected Cross-Site Scripting