Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Contributor authentication gives PR:L; network-reachable with no interaction (AV:N/UI:N); a specific precondition warrants AC:H; code execution escapes the app boundary (S:C) with full C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Contributor Remote Code Execution (RCE) in Post Snippets <= 4.0.19 versions.
AnalysisAI
Remote code execution in the Post Snippets WordPress plugin (versions 4.0.19 and earlier) lets an authenticated user with only Contributor-level privileges inject and execute arbitrary PHP/code on the server via the plugin's snippet-handling functionality (CWE-94). Because a low-privilege role can pivot to full server compromise with a scope change (S:C), this is a privilege-escalation-to-RCE flaw reported by Patchstack; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with at least Contributor-level privileges (CVSS PR:L) on a site running Post Snippets version 4.0.19 or earlier, used to create or edit a snippet whose content is then evaluated as code. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but lean toward genuine priority for any site running this plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a Contributor account on a WordPress site running Post Snippets <= 4.0.19, then crafts a snippet whose contents are evaluated as PHP by the plugin, satisfying the specific condition implied by the high attack complexity. When the snippet is processed/rendered, the injected code executes on the web server with the application's privileges, giving the attacker remote code execution and a path to full host compromise. … |
| Remediation | No vendor-released patch version is identified in the available data, so the exact fixed release cannot be cited; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/post-snippets/vulnerability/wordpress-post-snippets-plugin-4-0-19-remote-code-execution-rce-vulnerability) and the WordPress plugin repository for any release above 4.0.19 and upgrade to it as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress installations using Post Snippets plugin versions 4.0.19 or earlier; audit user accounts with Contributor or higher roles. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Post Snippets
View allThe Post Snippets WordPress plugin versions up to and including 4.0.12 contain an improper code generation vulnerability
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39380
GHSA-5rvc-gxqm-fm4r