Stored Cross-Site Scripting Vulnerability in Post Snippets Plugin by WordPress
CVE-2026-7430

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Post Snippets – Custom WordPress Code Snippets Customizer
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-7430?

The Post Snippets plugin for WordPress has a vulnerability that allows authenticated attackers with Administrator-level access to execute arbitrary web scripts through a malicious import file. This issue arises from the inadequate escaping of imported snippet content when rendered within JavaScript variables in the post editor. Specifically, the jqueryUiDialog() method does not properly escape double quotes, enabling attackers to manipulate JavaScript contexts. Consequently, when snippets are imported, they can bypass essential security measures like wp_magic_quotes(), which typically protects against such injections. However, this vulnerability is not present in single-site installations, as administrators possess the unfiltered_html capability.

Affected Version(s)

Post Snippets – Custom WordPress Code Snippets Customizer 0 <= 4.0.19

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/post-snippets/...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Albatross George

CVE-2026-7430 Data

JSON