WP-Safety

Post Snippets – Custom WordPress Code Snippets Customizer Security & Risk Analysis

wordpress.org/plugins/post-snippets

Create WordPress custom snippets shortcodes and reusable content and insert them in into your posts and pages.

20K active installs v4.0.18 PHP 8.0+ WP 5.3+ Updated Mar 12, 2026
custom-shortcodecustom-snippetshortcodesnippetsnippets
89
A · Safe
CVEs total4
Unpatched0
Last CVEDec 31, 2025
Plugin page Download
Safety Verdict

Is Post Snippets – Custom WordPress Code Snippets Customizer Safe to Use in 2026?

Generally Safe

Score 89/100

Post Snippets – Custom WordPress Code Snippets Customizer has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Dec 31, 2025Updated 22d ago
Risk Assessment

The post-snippets v4.0.18 plugin exhibits a mixed security posture. While it demonstrates good practices in its use of prepared statements for SQL queries and includes a significant number of nonce and capability checks, there are notable areas of concern. The presence of a dangerous function like 'preg_replace(/e)' is a red flag, and the taint analysis revealing two high-severity flows with unsanitized paths indicates a potential for vulnerabilities that could be exploited. The plugin's vulnerability history, with four past CVEs including one critical and one high severity, further reinforces the need for caution, suggesting a pattern of past security weaknesses that require ongoing vigilance.

Despite the positive aspects like a zero attack surface from direct entry points and a lack of external HTTP requests, the identified code signals and taint analysis issues, coupled with the historical vulnerability record, mean this plugin should be approached with care. The fact that all past CVEs are currently patched is a positive sign, but the underlying patterns of past vulnerabilities suggest that diligent monitoring and prompt updating are crucial for maintaining a secure WordPress environment when using this plugin.

Key Concerns

  • High severity taint flow with unsanitized path
  • High severity taint flow with unsanitized path
  • Dangerous function: preg_replace(/e)
  • Output escaping only 68% properly escaped
  • Past critical CVE (even if patched)
  • Past high CVE (even if patched)
  • Bundled outdated library: Freemius v1.0
Vulnerabilities
4

Post Snippets – Custom WordPress Code Snippets Customizer Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
2

4 total CVEs

CVE-2025-63040medium · 4.3Cross-Site Request Forgery (CSRF)

Post Snippets <= 4.0.11 - Cross-Site Request Forgery

Dec 31, 2025 Patched in 4.0.12 (14d)
CVE-2023-25459medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Snippets <= 4.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'snippet_content'

May 9, 2023 Patched in 4.0.3 (259d)
CVE-2021-25010critical · 9.6Cross-Site Request Forgery (CSRF)

Post Snippets <= 3.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Jan 31, 2022 Patched in 3.1.4 (722d)
WF-3fda31fa-efc9-44b9-99ba-9e3e23aa2ee0-post-snippetshigh · 8.8Missing Authorization

Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update

Feb 25, 2019 Patched in 3.0.6 (1793d)
Code Analysis
Analyzed Mar 16, 2026

Post Snippets – Custom WordPress Code Snippets Customizer Code Analysis

Dangerous Functions
1
Raw SQL Queries
2
92 prepared
Unescaped Output
74
158 escaped
Nonce Checks
16
Capability Checks
4
File Operations
8
External Requests
0
Bundled Libraries
2

Dangerous Functions Found

preg_replace(/e)preg_replace('/esrc\PostSnippets\Edit.php:1758

Bundled Libraries

Freemius1.0TinyMCE

SQL Query Safety

98% prepared94 total queries

Output Escaping

68% escaped232 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
process_bulk_filter (src\PostSnippets\PSallSnippets.php:559)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Post Snippets – Custom WordPress Code Snippets Customizer Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 35
actionafter_uninstallpost-snippets.php:78
filteris_submenu_visiblepost-snippets.php:128
actionafter_setup_themepost-snippets.php:196
actionadmin_noticespost-snippets.php:326
actionadmin_noticespost-snippets.php:334
actionplugins_loadedpost-snippets.php:440
actionplugins_loadedpost-snippets.php:441
actionadmin_menusrc\PostSnippets\Admin.php:32
actionadmin_initsrc\PostSnippets\Admin.php:33
actioncurrent_screensrc\PostSnippets\Admin.php:34
actionadmin_noticessrc\PostSnippets\Admin.php:41
actionadmin_noticessrc\PostSnippets\Admin.php:44
actioninitsrc\PostSnippets\Admin.php:49
filterset-screen-optionsrc\PostSnippets\Admin.php:51
actionwp_footersrc\PostSnippets\Admin.php:53
actionwp_headsrc\PostSnippets\Admin.php:55
actionadmin_print_scriptssrc\PostSnippets\Admin.php:57
filteradmin_titlesrc\PostSnippets\Admin.php:151
filteradmin_titlesrc\PostSnippets\Admin.php:168
filteradmin_titlesrc\PostSnippets\Admin.php:185
actionload-post.phpsrc\PostSnippets\Help.php:22
actionload-post-new.phpsrc\PostSnippets\Help.php:23
actionadmin_headsrc\PostSnippets\Help.php:37
actionadmin_footersrc\PostSnippets\ImportExport.php:37
actionadmin_footersrc\PostSnippets\ImportExport.php:67
actioninitsrc\PostSnippets\WPEditor.php:23
actionadmin_print_footer_scriptssrc\PostSnippets\WPEditor.php:26
actionadmin_headsrc\PostSnippets\WPEditor.php:32
actionadmin_footersrc\PostSnippets\WPEditor.php:33
actionadmin_initsrc\PostSnippets\WPEditor.php:37
filtermce_external_pluginssrc\PostSnippets\WPEditor.php:62
filtermce_buttonssrc\PostSnippets\WPEditor.php:66
filterallowed_block_types_allsrc\PostSnippets\WPEditor.php:288
filterpost_snippets_snippets_listsrc\PS_functions.php:21
actionadmin_noticessrc\PS_functions.php:39
Maintenance & Trust

Post Snippets – Custom WordPress Code Snippets Customizer Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version8.0
Downloads819K

Community Trust

Rating92/100
Number of ratings93
Active installs20K
Alternatives

Post Snippets – Custom WordPress Code Snippets Customizer Alternatives

Shortcoder — Create Shortcodes for Anything

Shortcoder — Create Shortcodes for Anything

shortcoder

A
98

Create custom "Shortcodes" easily for HTML, JavaScript, CSS code snippets and use the shortcodes within posts, pages & widgets

100K 2 CVEs
WP Coder – Insert & Manage Code Snippets

WP Coder – Insert & Manage Code Snippets

wp-coder

A
95

Snippets made simple — easily insert and manage custom PHP, CSS, JS & HTML without coding in theme files.

10K 5 CVEs
flodjiContacts

flodjiContacts

flodjicontacts-lite

A
85

So wirds benutzt: <code>[contact-box]</code> Dazu gibt es dann unter jedem Artikel eine Metabox über die die Contact Box befüllt wird.

10 No CVEs
Clipboard Snippet Copier

Clipboard Snippet Copier

clipboard-snippet-copier

A
100

Copy shortcodes or code snippets to clipboard with a single click using AJAX – without displaying the actual code.

0 No CVEs
HTMLPress

HTMLPress

htmlpress

A
85

Simple HTML snippets generator and use it with shortcode.

0 No CVEs
Developer Profile

Post Snippets – Custom WordPress Code Snippets Customizer Developer Profile

Saad Iqbal

84 plugins · 1.4M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
287 days
View full developer profile
Detection Fingerprints

How We Detect Post Snippets – Custom WordPress Code Snippets Customizer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/post-snippets/assets/css/admin.css/wp-content/plugins/post-snippets/assets/css/frontend.css/wp-content/plugins/post-snippets/assets/js/admin.js/wp-content/plugins/post-snippets/assets/js/frontend.js/wp-content/plugins/post-snippets/assets/js/scripts.js
Script Paths
/wp-content/plugins/post-snippets/assets/js/admin.js/wp-content/plugins/post-snippets/assets/js/frontend.js/wp-content/plugins/post-snippets/assets/js/scripts.js
Version Parameters
post-snippets/assets/css/admin.css?ver=post-snippets/assets/css/frontend.css?ver=post-snippets/assets/js/admin.js?ver=post-snippets/assets/js/frontend.js?ver=post-snippets/assets/js/scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes
ps-snippetspost-snippets-wrap
HTML Comments
<!-- Post Snippet: {{snippet_name}} --><!-- End Post Snippet: {{snippet_name}} -->
Data Attributes
data-snippet-iddata-post-id
JS Globals
postSnippetsFrontendps_vars
REST Endpoints
/wp-json/post-snippets/v1/snippets/wp-json/post-snippets/v1/settings
Shortcode Output
[post_snippet][post_snippet id=""[post_snippet name=""
FAQ

Frequently Asked Questions about Post Snippets – Custom WordPress Code Snippets Customizer