WordPress · Post Snippets · CVE-2026-7430
**Name of the Vulnerable Software and Affected Versions**
Post Snippets versions prior to 4.0.20
**Description**
The Post Snippets plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because imported snippet content is not sufficiently escaped when rendering JavaScript variables in the post editor. Specifically, the `jqueryUiDialog()` function in `WPEditor.php` embeds snippet content into JavaScript string literals without escaping double quotes. When using the Import/Export feature, content bypasses `wp magic quotes()`, which normally adds protective backslashes. This allows authenticated attackers with Administrator-level access or higher to inject arbitrary web scripts through a malicious import file. These scripts execute when any administrator accesses a post editor page. This issue does not affect single-site installations because administrators in those environments already possess the `unfiltered html` capability.
**Recommendations**
Update to a version later than 4.0.19.