WP-Safety

Code Snippets Security & Risk Analysis

wordpress.org/plugins/code-snippets

An easy, clean and simple way to enhance your site with code snippets.

1.0M active installs v3.9.5 PHP 7.4+ WP 5.0+ Updated Feb 5, 2026
codecssmultisitephpsnippets
89
A · Safe
CVEs total7
Unpatched0
Last CVEFeb 5, 2026
Plugin page Download
Safety Verdict

Is Code Snippets Safe to Use in 2026?

Generally Safe

Score 89/100

Code Snippets has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Feb 5, 2026Updated 1mo ago
Risk Assessment

The "code-snippets" plugin v3.9.5 demonstrates a generally good security posture based on the static analysis. The plugin effectively utilizes WordPress security best practices, as evidenced by the absence of unprotected entry points (AJAX handlers, REST API routes, shortcodes, cron events), a high percentage of prepared SQL statements, and a near-perfect rate of output escaping. The lack of critical or high-severity taint flows further suggests that the plugin is not immediately introducing new, severe vulnerabilities.

However, the vulnerability history presents a significant concern. The plugin has a history of 7 known CVEs, with 2 high and 5 medium severity vulnerabilities previously identified. The common vulnerability types (Code Injection, Cross-site Scripting, CSRF) indicate a recurring pattern of issues related to input validation and output sanitization. While there are currently no unpatched CVEs, the historical prevalence of these types of vulnerabilities suggests a potential for future similar weaknesses to emerge, especially given the last vulnerability being recent.

In conclusion, while the current static analysis of v3.9.5 shows strong adherence to secure coding practices, the plugin's past security record warrants vigilance. The developers have a demonstrated history of introducing and then patching vulnerabilities related to code execution and data sanitization. Users should ensure they are always running the latest version and monitor for any new security advisories.

Key Concerns

  • Significant vulnerability history
  • High severity vulnerabilities in history
  • Medium severity vulnerabilities in history
  • Recurring vulnerability types
Vulnerabilities
7

Code Snippets Security Vulnerabilities

CVEs by Year

1 CVE in 2016
2016
1 CVE in 2020
2020
1 CVE in 2021
2021
1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
5

7 total CVEs

CVE-2026-1785medium · 4.3Cross-Site Request Forgery (CSRF)

Code Snippets <= 3.9.4 - Cross-Site Request Forgery to Cloud Snippet Download/Update Actions

Feb 5, 2026 Patched in 3.9.5 (1d)
CVE-2025-13035high · 8Improper Control of Generation of Code ('Code Injection')

Code Snippets <= 3.9.1 - Authenticated (Contributor+) PHP Code Injection via extract() and PHP Filter Chains

Nov 18, 2025 Patched in 3.9.2 (2d)
CVE-2023-47666medium · 5.4Cross-Site Request Forgery (CSRF)

Code Snippets <= 3.5.0 - Cross-Site Request Forgery via load

Nov 6, 2023 Patched in 3.6.0 (78d)
CVE-2022-25617medium · 4.7Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Code Snippets <= 2.14.3 - Reflected Cross-Site Scripting

May 18, 2022 Patched in 2.14.4 (614d)
CVE-2021-25008medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Code Snippets <= 2.14.2 - Reflected Cross-Site Scripting

Dec 27, 2021 Patched in 2.14.3 (757d)
CVE-2020-8417high · 8.8Cross-Site Request Forgery (CSRF)

Code Snippets <= 2.13.3 - Cross-Site Request Forgery to Remote Code Execution

Jan 29, 2020 Patched in 2.14.0 (1455d)
WF-fd0c3965-6b35-46a8-8cf0-6726cdb03c8f-code-snippetsmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Code Snippets < 2.7.0 - Reflected Cross-Site Scripting

Jul 24, 2016 Patched in 2.7.0 (2739d)
Code Analysis
Analyzed Mar 16, 2026

Code Snippets Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
14 prepared
Unescaped Output
8
317 escaped
Nonce Checks
11
Capability Checks
21
File Operations
4
External Requests
5
Bundled Libraries
0

SQL Query Safety

78% prepared18 total queries

Output Escaping

98% escaped325 total outputs
Data Flows
All sanitized

Data Flow Analysis

6 flows
load_snippet_data (php\admin-menus\class-edit-menu.php:125)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Code Snippets Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 3

authwp_ajax_update_code_snippetphp\admin-menus\class-manage-menu.php:55
authwp_ajax_code_snippets_switch_versionphp\settings\class-version-switch.php:26
authwp_ajax_code_snippets_refresh_versionsphp\settings\class-version-switch.php:27

REST API Routes 1

GET/wp-json/v1/snippets/snippets-infophp\front-end\class-front-end.php:50
WordPress Hooks 55
actionadmin_menuphp\admin-menus\class-admin-menu.php:68
actionnetwork_admin_menuphp\admin-menus\class-admin-menu.php:69
actionadmin_enqueue_scriptsphp\admin-menus\class-admin-menu.php:142
actionadmin_initphp\admin-menus\class-import-menu.php:29
actionload-importer-code-snippetsphp\admin-menus\class-import-menu.php:30
actionadmin_menuphp\admin-menus\class-manage-menu.php:48
actionnetwork_admin_menuphp\admin-menus\class-manage-menu.php:49
actionadmin_menuphp\admin-menus\class-manage-menu.php:52
filterset-screen-optionphp\admin-menus\class-manage-menu.php:53
actionadmin_enqueue_scriptsphp\admin-menus\class-manage-menu.php:54
actioninitphp\class-admin.php:63
filtermu_menu_itemsphp\class-admin.php:65
filtermanage_sites_action_linksphp\class-admin.php:66
filterplugin_row_metaphp\class-admin.php:68
filterdebug_informationphp\class-admin.php:69
actioncode_snippets/admin/managephp\class-admin.php:70
filterdefault_hidden_columnsphp\class-list-table.php:96
filtercode_snippets/list_table/column_descriptionphp\class-list-table.php:104
filtersafe_style_cssphp\class-list-table.php:143
filtercode_snippets/execute_snippetsphp\class-plugin.php:99
filterhome_urlphp\class-plugin.php:102
filteradmin_urlphp\class-plugin.php:103
actionrest_api_initphp\class-plugin.php:106
actionallowed_redirect_hostsphp\class-plugin.php:107
actionplugins_loadedphp\class-plugin.php:157
actioninitphp\class-upgrade.php:97
actionadmin_noticesphp\deactivation-notice.php:62
actioninitphp\evaluation\class-evaluate-content.php:39
actionwp_headphp\evaluation\class-evaluate-content.php:47
actionwp_footerphp\evaluation\class-evaluate-content.php:48
actionwp_headphp\evaluation\class-evaluate-content.php:50
actionwp_footerphp\evaluation\class-evaluate-content.php:51
actionplugins_loadedphp\evaluation\class-evaluate-functions.php:36
actioncode_snippets/create_snippetphp\flat-files\classes\class-snippet-files.php:107
actioncode_snippets/update_snippetphp\flat-files\classes\class-snippet-files.php:108
actioncode_snippets/delete_snippetphp\flat-files\classes\class-snippet-files.php:109
actioncode_snippets/trash_snippetphp\flat-files\classes\class-snippet-files.php:110
actioncode_snippets/activate_snippetphp\flat-files\classes\class-snippet-files.php:111
actioncode_snippets/deactivate_snippetphp\flat-files\classes\class-snippet-files.php:112
actioncode_snippets/activate_snippetsphp\flat-files\classes\class-snippet-files.php:113
actionupdated_optionphp\flat-files\classes\class-snippet-files.php:115
actionadd_optionphp\flat-files\classes\class-snippet-files.php:116
filtercode_snippets_settings_fieldsphp\flat-files\classes\class-snippet-files.php:119
actioncode_snippets/settings_updatedphp\flat-files\classes\class-snippet-files.php:120
actionthe_postsphp\front-end\class-front-end.php:35
actioninitphp\front-end\class-front-end.php:36
filtercode_snippets/render_content_shortcodephp\front-end\class-front-end.php:41
filtermce_external_pluginsphp\front-end\class-front-end.php:93
filtermce_buttonsphp\front-end\class-front-end.php:102
filtermce_external_languagesphp\front-end\class-front-end.php:111
actionwp_enqueue_scriptsphp\front-end\class-front-end.php:149
actionrest_api_initphp\migration\importers\files\file-upload-importer.php:15
actionrest_api_initphp\migration\importers\plugins\importer-base.php:13
actionrest_api_initphp\migration\importers\plugins\manager.php:16
actionadmin_initphp\settings\settings.php:201
Maintenance & Trust

Code Snippets Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 5, 2026
PHP min version7.4
Downloads19.7M

Community Trust

Rating94/100
Number of ratings494
Active installs1.0M
Alternatives

Code Snippets Alternatives

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

insert-headers-and-footers

A
99

Easily add code snippets in WordPress. Insert header & footer scripts, add PHP code snippets with conditional logic, insert ads pixel code, and more.

3.0M 3 CVEs
Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript

Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript

add-custom-codes

A
93

Add custom codes to your wordpress site. A completely free plugin to add Custom PHP functions, HTML, CSS, Javascript, any other codes to your website.

1K 4 CVEs
Code Manager

Code Manager

code-manager

A
100

Write, test and deploy PHP, JavaScript, CSS and HTML code blocks from the WordPress dashboard.

500 No CVEs
Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

insert-php

A
91

Insert PHP, JavaScript, CSS, HTML, ads, and tracking code into WordPress headers, footers, pages, and content using conditional logic, without editing &hellip;

60K 7 CVEs
FluentSnippets – The High-Performance file based Custom Code Snippets Plugin

FluentSnippets – The High-Performance file based Custom Code Snippets Plugin

easy-code-manager

A
99

Add header and footer scripts, PHP Snippets, Custom CSS /JS snippets with advanced conditional logic, and more...

40K 1 CVE
Developer Profile

Code Snippets Developer Profile

Code Snippets Pro

1 plugin · 1.0M total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
807 days
View full developer profile
Detection Fingerprints

How We Detect Code Snippets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/code-snippets/dist/edit.css/wp-content/plugins/code-snippets/dist/edit.js/wp-content/plugins/code-snippets/dist/settings.css/wp-content/plugins/code-snippets/dist/settings.js/wp-content/plugins/code-snippets/dist/admin.css/wp-content/plugins/code-snippets/dist/admin.js
Script Paths
/wp-content/plugins/code-snippets/dist/edit.js/wp-content/plugins/code-snippets/dist/settings.js/wp-content/plugins/code-snippets/dist/admin.js
Version Parameters
code-snippets/dist/edit.css?ver=code-snippets/dist/edit.js?ver=code-snippets/dist/settings.css?ver=code-snippets/dist/settings.js?ver=code-snippets/dist/admin.css?ver=code-snippets/dist/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
code-snippets-admin-menucode-snippets-edit-menucode-snippets-settings-menucode-snippets-wrapcode-snippets-tablecode-snippets-snippet-form
HTML Comments
<!-- Snippet editor --><!-- Edit Snippet Form --><!-- Code Snippets Settings -->
Data Attributes
data-snippet-iddata-snippet-typedata-snippet-scopedata-code-snippets-editor-themedata-code-snippets-enable-description
JS Globals
CODE_SNIPPETS_EDITCODE_SNIPPETS_SETTINGSCODE_SNIPPETS_ADMINcodeSnippetsReact
REST Endpoints
/wp-json/code-snippets/v1/snippets/wp-json/code-snippets/v1/tags
FAQ

Frequently Asked Questions about Code Snippets