Skip to main content

Saad Iqbal Post Snippets CVE-2025-63040

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-31 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
4.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Post Snippets post-snippets allows Cross Site Request Forgery.This issue affects Post Snippets: from n/a through <= 4.0.11.

AnalysisAI

Cross-site request forgery (CSRF) in the Post Snippets WordPress plugin through version 4.0.11 allows unauthenticated attackers to perform unauthorized administrative actions on vulnerable sites by tricking authenticated administrators into visiting malicious web pages. The vulnerability affects all versions up to and including 4.0.11, though no CVSS vector or EPSS exploitation probability above baseline has been assigned, suggesting limited real-world exploit infrastructure exists at this time.

Technical ContextAI

This is a classic CSRF vulnerability (CWE-352) in a WordPress plugin, which typically means the plugin's administrative functions lack proper nonce validation or CSRF token checks. WordPress plugins that fail to implement wp_nonce_field() in forms or wp_verify_nonce() in request handlers are susceptible to this attack class. The Post Snippets plugin, which allows creation and management of code snippets, likely exposes administrative endpoints (such as snippet creation, deletion, or configuration) without adequate cross-origin request protection. An attacker can craft a malicious HTML page containing hidden form submissions or AJAX requests that, when visited by a logged-in WordPress administrator, automatically execute unwanted actions within the plugin's functionality.

Affected ProductsAI

Post Snippets WordPress plugin (Saad Iqbal) versions 4.0.11 and all prior releases. The vulnerability affects installations on any WordPress site using this plugin up to version 4.0.11. Additional version details and the vendor security advisory are available at https://patchstack.com/database/Wordpress/Plugin/post-snippets/vulnerability/wordpress-post-snippets-plugin-4-0-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.

RemediationAI

Update the Post Snippets plugin to the latest available version above 4.0.11. Site administrators should navigate to the WordPress Plugins dashboard, locate Post Snippets, and install any available update immediately. If no patched version is yet available from the plugin author, temporarily deactivate the plugin until an update is released. Additionally, ensure all WordPress installations use current versions of WordPress core and maintain security best practices such as regular nonce audits of critical plugin functionality. Refer to the Patchstack vulnerability report at the reference URL for additional details and vendor response timeline.

Share

CVE-2025-63040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy