Code Snippets <= 3.9.4 - Cross-Site Request Forgery to Cloud Snippet Download/Update Actions
Description
The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=3.9.4Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-1785 (Code Snippets CSRF) ## 1. Vulnerability Summary The **Code Snippets** plugin (<= 3.9.4) contains a Cross-Site Request Forgery (CSRF) vulnerability in its cloud snippet management interface. Specifically, the `Cloud_Search_List_Table` class, which handles…
Show full research plan
Exploitation Research Plan: CVE-2026-1785 (Code Snippets CSRF)
1. Vulnerability Summary
The Code Snippets plugin (<= 3.9.4) contains a Cross-Site Request Forgery (CSRF) vulnerability in its cloud snippet management interface. Specifically, the Cloud_Search_List_Table class, which handles the display and interaction with snippets hosted on the Code Snippets Cloud library, fails to implement nonce validation when performing "download" and "update" actions. This allows an unauthenticated attacker to craft a request that, if executed by a logged-in administrator, forces the WordPress site to download a specific snippet from the cloud or update an existing one to its cloud version without consent.
2. Attack Vector Analysis
- Vulnerable Class:
Code_Snippets\Cloud_Search_List_Table(inferred) - Vulnerable File:
php/admin/class-cloud-search-list-table.php(inferred) - Action Hook:
admin_initor logic triggered during the rendering of thesnippets-cloudadmin page. - Endpoint:
wp-admin/admin.php - Query Parameters:
page:snippets-cloudaction:download-snippetorupdate-snippet(inferred action names)snippet_idorid: The identifier of the snippet in the Code Snippets Cloud.
- Authentication Level: Requires an active Administrator session (victim).
- Preconditions: The attacker must identify a valid Cloud Snippet ID and trick the administrator into visiting a malicious URL or page.
3. Code Flow
- Entry Point: The administrator visits a URL like
wp-admin/admin.php?page=snippets-cloud&action=download-snippet&id=123. - Routing: WordPress routes the request to the Code Snippets plugin's cloud search page.
- Instantiation: The plugin instantiates
Cloud_Search_List_Tableto render the view. - Action Processing: Inside the class (likely in
prepare_items()or a dedicated handler method), the code checks for theactionparameter in$_GET. - Logic Sink: If
actionisdownload-snippet, the code retrieves the snippet data from the Cloud API and inserts it into the local{prefix}snippetstable using theCode_Snippets\Snippetclass. - The Flaw: The code verifies if the user has the
manage_snippetscapability (usually viacurrent_user_can), but does not callcheck_admin_referer()orwp_verify_nonce(). Since the browser automatically attaches the admin's session cookies, the request is processed as authorized.
4. Nonce Acquisition Strategy
No nonce is required.
The vulnerability description explicitly states "missing nonce validation." Therefore, the exploit can be executed directly without needing to scrape or extract a _wpnonce parameter.
5. Exploitation Strategy
The goal is to simulate an administrator being CSRF'd into downloading a snippet.
Step-by-Step Plan:
- Identify Snippet: Find a legitimate snippet ID from the Code Snippets Cloud (e.g., ID
101). - Login as Admin: Use the
http_requesttool to authenticate an administrator session and store cookies. - Execute CSRF: Use
http_requestto send a GET request to the vulnerable endpoint, simulating the admin clicking a malicious link. - Payload:
- Method:
GET - URL:
http://[TARGET]/wp-admin/admin.php?page=snippets-cloud&action=download-snippet&id=[CLOUD_ID]
- Method:
- Alternative Payload (POST): If the list table handles actions via POST:
- Method:
POST - URL:
http://[TARGET]/wp-admin/admin.php?page=snippets-cloud - Body:
action=download-snippet&id=[CLOUD_ID] - Content-Type:
application/x-www-form-urlencoded
- Method:
6. Test Data Setup
- Install Plugin: Ensure Code Snippets version 3.9.4 is installed and active.
- Verify DB Table: Ensure the
{prefix}snippetstable exists (created on activation). - Admin User: Create or identify an administrator user (e.g.,
admin/password). - Cloud Snippet ID: For testing purposes, we will use a common cloud snippet ID (e.g.,
1or search the cloud interface to find a valid numeric/UUID ID).
7. Expected Results
- HTTP Response: A
302 Foundredirecting back toadmin.php?page=snippetsor a200 OKwith a "Snippet successfully downloaded" notice in the HTML. - Database Change: A new entry should appear in the
wp_snippetstable corresponding to the cloud snippet ID used in the attack. - Plugin UI: The "All Snippets" page in the WordPress dashboard should now list the newly downloaded snippet.
8. Verification Steps
After the http_request exploit, use wp-cli to verify the state change:
# Check if a new snippet exists in the custom table
wp db query "SELECT title, code FROM wp_snippets ORDER BY id DESC LIMIT 1;"
# Alternatively, if the plugin registers a post type (older versions vs newer)
wp post list --post_type=snippet
# Check for the total count of snippets before and after
wp db query "SELECT COUNT(*) FROM wp_snippets;"
9. Alternative Approaches
If download-snippet is not the exact action name:
- Search the Source: Run
grep -r "action=" php/admin/class-cloud-search-list-table.phpto identify the exact string used in row actions. - Trace UI: Navigate to the Cloud Search page manually in a browser and hover over the "Download" button to see the URL structure.
- Try
update-snippet: If the site already has a snippet that was originally from the cloud, try theupdate-snippetaction to overwrite local changes with the cloud version.- URL:
wp-admin/admin.php?page=snippets-cloud&action=update-snippet&id=[LOCAL_ID]&cloud_id=[CLOUD_ID](structure inferred).
- URL:
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.