Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in Saad Iqbal Post Snippets post-snippets allows Remote Code Inclusion.This issue affects Post Snippets: from n/a through <= 4.0.12.
AnalysisAI
The Post Snippets WordPress plugin versions up to and including 4.0.12 contain an improper code generation vulnerability (CWE-94) that enables remote code injection and execution. An attacker can exploit this flaw to execute arbitrary code on affected WordPress installations, potentially leading to complete site compromise. The vulnerability has been publicly documented by Patchstack with available references, and the attack vector appears to be network-based without requiring high privileges.
Technical ContextAI
The vulnerability resides in the Saad Iqbal Post Snippets plugin (CPE: cpe:2.3:a:saad_iqbal:post_snippets:*:*:*:*:*:*:*:*), which is a WordPress plugin used for managing code snippets. The root cause is classified under CWE-94 (Improper Control of Generation of Code), a weakness where user-controlled input is improperly sanitized before being processed as executable code. This typically occurs when the plugin dynamically generates or includes code without adequate validation, allowing an attacker to inject malicious PHP or similar code that gets executed in the WordPress environment. The affected versions through 4.0.12 lack sufficient input validation mechanisms to prevent code injection attacks, likely in features related to snippet creation, storage, or rendering.
RemediationAI
Immediately upgrade the Post Snippets plugin to a patched version beyond 4.0.12 if such a version is available from the plugin author (verify current status at the Patchstack advisory link). If a patched version is not yet released, disable and deactivate the Post Snippets plugin until a security update becomes available, then implement an alternative code snippet management solution. As an interim defensive measure, restrict direct access to WordPress administrative interfaces using IP whitelisting, implement a Web Application Firewall (WAF) with rules to detect code injection patterns in POST requests, and enable comprehensive WordPress security logging to detect exploitation attempts. Monitor the plugin's official repository and Patchstack for patch availability notifications, and test any update in a staging environment before deploying to production.
More in Post Snippets
View allRemote code execution in the Post Snippets WordPress plugin (versions 4.0.19 and earlier) lets an authenticated user wit
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15609
GHSA-mgq2-f9fr-xpmw