CVE-2026-1785

Code Snippets <= 3.9.4 - Cross-Site Request Forgery to Cloud Snippet Download/Update Actions

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.9.5
Patched in
1d
Time to patch

Description

The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.9.4
PublishedFebruary 5, 2026
Last updatedFebruary 6, 2026
Affected plugincode-snippets

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-1785 (Code Snippets CSRF) ## 1. Vulnerability Summary The **Code Snippets** plugin (<= 3.9.4) contains a Cross-Site Request Forgery (CSRF) vulnerability in its cloud snippet management interface. Specifically, the `Cloud_Search_List_Table` class, which handles…

Show full research plan

Exploitation Research Plan: CVE-2026-1785 (Code Snippets CSRF)

1. Vulnerability Summary

The Code Snippets plugin (<= 3.9.4) contains a Cross-Site Request Forgery (CSRF) vulnerability in its cloud snippet management interface. Specifically, the Cloud_Search_List_Table class, which handles the display and interaction with snippets hosted on the Code Snippets Cloud library, fails to implement nonce validation when performing "download" and "update" actions. This allows an unauthenticated attacker to craft a request that, if executed by a logged-in administrator, forces the WordPress site to download a specific snippet from the cloud or update an existing one to its cloud version without consent.

2. Attack Vector Analysis

  • Vulnerable Class: Code_Snippets\Cloud_Search_List_Table (inferred)
  • Vulnerable File: php/admin/class-cloud-search-list-table.php (inferred)
  • Action Hook: admin_init or logic triggered during the rendering of the snippets-cloud admin page.
  • Endpoint: wp-admin/admin.php
  • Query Parameters:
    • page: snippets-cloud
    • action: download-snippet or update-snippet (inferred action names)
    • snippet_id or id: The identifier of the snippet in the Code Snippets Cloud.
  • Authentication Level: Requires an active Administrator session (victim).
  • Preconditions: The attacker must identify a valid Cloud Snippet ID and trick the administrator into visiting a malicious URL or page.

3. Code Flow

  1. Entry Point: The administrator visits a URL like wp-admin/admin.php?page=snippets-cloud&action=download-snippet&id=123.
  2. Routing: WordPress routes the request to the Code Snippets plugin's cloud search page.
  3. Instantiation: The plugin instantiates Cloud_Search_List_Table to render the view.
  4. Action Processing: Inside the class (likely in prepare_items() or a dedicated handler method), the code checks for the action parameter in $_GET.
  5. Logic Sink: If action is download-snippet, the code retrieves the snippet data from the Cloud API and inserts it into the local {prefix}snippets table using the Code_Snippets\Snippet class.
  6. The Flaw: The code verifies if the user has the manage_snippets capability (usually via current_user_can), but does not call check_admin_referer() or wp_verify_nonce(). Since the browser automatically attaches the admin's session cookies, the request is processed as authorized.

4. Nonce Acquisition Strategy

No nonce is required.
The vulnerability description explicitly states "missing nonce validation." Therefore, the exploit can be executed directly without needing to scrape or extract a _wpnonce parameter.

5. Exploitation Strategy

The goal is to simulate an administrator being CSRF'd into downloading a snippet.

Step-by-Step Plan:

  1. Identify Snippet: Find a legitimate snippet ID from the Code Snippets Cloud (e.g., ID 101).
  2. Login as Admin: Use the http_request tool to authenticate an administrator session and store cookies.
  3. Execute CSRF: Use http_request to send a GET request to the vulnerable endpoint, simulating the admin clicking a malicious link.
  4. Payload:
    • Method: GET
    • URL: http://[TARGET]/wp-admin/admin.php?page=snippets-cloud&action=download-snippet&id=[CLOUD_ID]
  5. Alternative Payload (POST): If the list table handles actions via POST:
    • Method: POST
    • URL: http://[TARGET]/wp-admin/admin.php?page=snippets-cloud
    • Body: action=download-snippet&id=[CLOUD_ID]
    • Content-Type: application/x-www-form-urlencoded

6. Test Data Setup

  1. Install Plugin: Ensure Code Snippets version 3.9.4 is installed and active.
  2. Verify DB Table: Ensure the {prefix}snippets table exists (created on activation).
  3. Admin User: Create or identify an administrator user (e.g., admin / password).
  4. Cloud Snippet ID: For testing purposes, we will use a common cloud snippet ID (e.g., 1 or search the cloud interface to find a valid numeric/UUID ID).

7. Expected Results

  • HTTP Response: A 302 Found redirecting back to admin.php?page=snippets or a 200 OK with a "Snippet successfully downloaded" notice in the HTML.
  • Database Change: A new entry should appear in the wp_snippets table corresponding to the cloud snippet ID used in the attack.
  • Plugin UI: The "All Snippets" page in the WordPress dashboard should now list the newly downloaded snippet.

8. Verification Steps

After the http_request exploit, use wp-cli to verify the state change:

# Check if a new snippet exists in the custom table
wp db query "SELECT title, code FROM wp_snippets ORDER BY id DESC LIMIT 1;"

# Alternatively, if the plugin registers a post type (older versions vs newer)
wp post list --post_type=snippet

# Check for the total count of snippets before and after
wp db query "SELECT COUNT(*) FROM wp_snippets;"

9. Alternative Approaches

If download-snippet is not the exact action name:

  1. Search the Source: Run grep -r "action=" php/admin/class-cloud-search-list-table.php to identify the exact string used in row actions.
  2. Trace UI: Navigate to the Cloud Search page manually in a browser and hover over the "Download" button to see the URL structure.
  3. Try update-snippet: If the site already has a snippet that was originally from the cloud, try the update-snippet action to overwrite local changes with the cloud version.
    • URL: wp-admin/admin.php?page=snippets-cloud&action=update-snippet&id=[LOCAL_ID]&cloud_id=[CLOUD_ID] (structure inferred).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.