Does Sniplets have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Sniplets compatible with WordPress 2.9.2?

According to WordPress.org data, Sniplets 1.4.5 has been tested up to WordPress 2.9.2. Check the plugin's changelog for the latest compatibility information.

How often is Sniplets updated?

Sniplets was last updated on Apr 29, 2012. Frequent updates are generally a positive security signal.

What is Sniplets's security score?

Sniplets has a WP-Safety security score of 81/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Sniplets Security & Risk Analysis

wordpress.org/plugins/sniplets

Sniplets is a generic text insertion plugin. Use it to manually or automatically insert data, PHP, syntax highlight, and almost anything else!

40 active installs v1.4.5 PHP + WP 2.7+ Updated Apr 29, 2012

codeinsertpagephppost

B · Generally Safe

CVEs total3

Unpatched0

Last CVEFeb 26, 2008

Plugin page Download

Safety Verdict

Is Sniplets Safe to Use in 2026?

Mostly Safe

Score 81/100

Sniplets is generally safe to use though it hasn't been updated recently. 3 past CVEs were resolved.

3 known CVEsLast CVE: Feb 26, 2008Updated 14yr ago

Risk Assessment

The "sniplets" plugin v1.4.5 exhibits a mixed security posture. While the static analysis reports a seemingly small attack surface with no apparent direct entry points that lack authorization, significant concerns arise from the code signals. The presence of the `unserialize` function is a major red flag, as it can lead to remote code execution if used with untrusted input. Furthermore, the low percentage of SQL queries using prepared statements and the extremely low rate of properly escaped output suggest a high likelihood of SQL injection and cross-site scripting vulnerabilities, respectively.

The plugin's vulnerability history, with three known CVEs including critical ones for cross-site scripting, code injection, and remote file inclusion, strongly corroborates these code analysis concerns. The fact that the last vulnerability was in 2008 and none are currently unpatched is positive, but the historical pattern of severe vulnerabilities indicates a history of insecure coding practices. While the plugin's entry points are not directly exploitable in this version based on the provided static analysis, the internal code quality and historical vulnerabilities present a substantial risk if any of the identified weaknesses are exposed or if new vulnerabilities are introduced.

In conclusion, despite a lack of immediately obvious exploitable entry points in the current static analysis, the core codebase contains dangerous functions and exhibits poor security hygiene regarding SQL prepared statements and output escaping. The significant historical vulnerability record further amplifies the risk. Users should be extremely cautious and consider alternatives or ensure rigorous auditing and patching if they must use this plugin.

Key Concerns

Dangerous function: unserialize used
Low percentage of SQL prepared statements
Low percentage of properly escaped output
High number of past critical CVEs
Flows with unsanitized paths found
History of RFI, XSS, and Code Injection

Vulnerabilities

3 published

Sniplets Security Vulnerabilities

CVEs by Year

3 CVEs in 2008

2008

Patched Has unpatched

Severity Breakdown

Critical

Medium

3 total CVEs

CVE-2008-1061medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sniplets < 1.2.3 - Cross-Site Scripting

Feb 26, 2008 Patched in 1.2.3 (5810d)

CVE-2008-1060critical · 9.8Improper Control of Generation of Code ('Code Injection')

Sniplets < 1.2.3 - Remote Code Execution

Feb 26, 2008 Patched in 1.2.3 (5810d)

CVE-2008-1059critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Sniplets < 1.2.3 - Remote File Inclusion

Feb 25, 2008 Patched in 1.2.3 (5811d)

Version History

Sniplets Release Timeline

v1.4.6

v1.4.5Current

Code Analysis

Analyzed Mar 16, 2026

Sniplets Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

201

13 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$this->modules = unserialize ($this->modules);model\sniplets_class.php:24

unserialize$snip->modules = unserialize ((string)$sniplet->modules[0]);sniplets.php:363

SQL Query Safety

7% prepared41 total queries

Output Escaping

6% escaped214 total outputs

Data Flows · Security

6 unsanitized

Data Flow Analysis

7 flows6 with unsanitized paths

show_config (model\widget.php:107)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Sniplets Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 27

actioninitmodel\widget.php:24

actionsidebar_admin_setupmodel\widget.php:50

actionsidebar_admin_pagemodel\widget.php:51

actioninitplugin.php:136

actionadmin_menuplugin.php:140

actionadmin_menuplugin.php:143

actionadmin_menuplugin.php:146

actiondbx_post_advancedplugin.php:228

actionwp_print_scriptssniplets.php:54

actionadmin_headsniplets.php:55

actionadmin_print_stylessniplets.php:56

filtercontextual_helpsniplets.php:57

actionadmin_menusniplets.php:58

actionadmin_footersniplets.php:59

filterthe_postssniplets.php:65

actionthe_snipletsniplets.php:66

actionthe_sniplet_placesniplets.php:67

filterthe_contentsniplets.php:73

filterthe_excerptsniplets.php:74

filterthe_real_contentsniplets.php:77

actionwp_headsniplets.php:147

actionwp_footersniplets.php:150

actioncomment_formsniplets.php:153

actionthe_content_rsssniplets.php:157

actionthe_excerpt_rsssniplets.php:158

actionthe_contentsniplets.php:162

actionthe_excerptsniplets.php:163

Maintenance & Trust

Sniplets Maintenance & Trust

Maintenance Signals

WordPress version tested2.9.2

Last updatedApr 29, 2012

PHP min version

Downloads25K

Community Trust

Rating56/100

Number of ratings4

Active installs40

Alternatives

Sniplets Alternatives

Page In Page

page-in-page

This plugin helps you insert a post or page from the WP posts database table within another, bring your Facebook posts and Twitter feeds to your blog.

200 No CVEs

PHPEval

phpeval

The PHPEval Plugin is a Wordpress plugin which allows users to write php code inside of their pages. Embedded php code will be executed when the post …

10 No CVEs

Insert PHP Code Snippet

insert-php-code-snippet

Add PHP code to your pages and posts easily using shortcodes.

100K 3 CVEs

Display Posts – Easy lists, grids, navigation, and more

display-posts-shortcode

Add a listing of content on your website using a simple shortcode. Filter the results by category, author, and more.

80K No CVEs

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

insert-php

Insert PHP, JavaScript, CSS, HTML, ads, and tracking code into WordPress headers, footers, pages, and content using conditional logic, without editing …

60K 8 CVEs

Developer Profile

Sniplets Developer Profile

John Godley

14 plugins · 2.2M total installs

trust score

Avg Security Score

87/100

Avg Patch Time

4069 days

View full developer profile

Detection Fingerprints

How We Detect Sniplets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/sniplets/resource/admin.css/wp-content/plugins/sniplets/resource/admin.js

Script Paths

/wp-content/plugins/sniplets/resource/admin.js

Version Parameters

sniplets/resource/admin.js?ver=sniplets/resource/admin.css?ver=

HTML / DOM Fingerprints

Data Attributes

data-sniplet-namedata-sniplet-iddata-sniplet-post-id

JS Globals

Sniplets

Shortcode Output

[sniplet [sniplet]

FAQ