Skip to main content

Post Snippets EUVDEUVD-2026-39380

| CVE-2026-56049 HIGH
Code Injection (CWE-94)
2026-06-25 Patchstack GHSA-5rvc-gxqm-fm4r
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.5 HIGH

Contributor authentication gives PR:L; network-reachable with no interaction (AV:N/UI:N); a specific precondition warrants AC:H; code execution escapes the app boundary (S:C) with full C/I/A impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:23 vuln.today

DescriptionCVE.org

Contributor Remote Code Execution (RCE) in Post Snippets <= 4.0.19 versions.

AnalysisAI

Remote code execution in the Post Snippets WordPress plugin (versions 4.0.19 and earlier) lets an authenticated user with only Contributor-level privileges inject and execute arbitrary PHP/code on the server via the plugin's snippet-handling functionality (CWE-94). Because a low-privilege role can pivot to full server compromise with a scope change (S:C), this is a privilege-escalation-to-RCE flaw reported by Patchstack; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor-level WordPress account
Delivery
Create snippet with injected code payload
Exploit
Trigger snippet evaluation as PHP
Execution
Execute arbitrary code on web server
Impact
Compromise host beyond WordPress scope

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with at least Contributor-level privileges (CVSS PR:L) on a site running Post Snippets version 4.0.19 or earlier, used to create or edit a snippet whose content is then evaluated as code. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean toward genuine priority for any site running this plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a Contributor account on a WordPress site running Post Snippets <= 4.0.19, then crafts a snippet whose contents are evaluated as PHP by the plugin, satisfying the specific condition implied by the high attack complexity. When the snippet is processed/rendered, the injected code executes on the web server with the application's privileges, giving the attacker remote code execution and a path to full host compromise. …
Remediation No vendor-released patch version is identified in the available data, so the exact fixed release cannot be cited; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/post-snippets/vulnerability/wordpress-post-snippets-plugin-4-0-19-remote-code-execution-rce-vulnerability) and the WordPress plugin repository for any release above 4.0.19 and upgrade to it as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations using Post Snippets plugin versions 4.0.19 or earlier; audit user accounts with Contributor or higher roles. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39380 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy