Code Snippets < 3.9.5 – Cloud Snippet Download/Update Actions via CSRF | CVE 2026-1785 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page.

Affects Plugins

Fixed in 3.9.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4a5787f3-6a16-491a-aa01-6222f275cf0f

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

type5afe

Verified

No

WPVDB ID

2c3e623a-ef35-4c62-a9ee-de1d7acdaa97

Timeline

Publicly Published

2026-02-05 (about 3 months ago)

Added

2026-02-05 (about 3 months ago)

Last Updated

2026-02-05 (about 3 months ago)

Other

Published

Title

Published

2025-07-17

Title

Zuppler Online Ordering <= 2.1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2017-03-01

Title

File Manager <= 4.1.4 - Cross-Site Request Forgery (CSRF) Arbitrary File Upload

Published

2024-06-21

Title

Newsletters < 4.9.8 - Cross-Site Request Forgery

Published

2022-04-11

Title

Yoo Slider < 2.1.0 - Arbitrary Template Import via CSRF

Published

2024-11-20

Title

Friendly Functions for Welcart < 1.2.5 - Cross-Site Request Forgery to Reflected Cross-Site Scripting