CVE-2026-7430 is a stored cross-site scripting vulnerability in the Post Snippets – Custom WordPress Code Snippets Customizer plugin, affecting all versions up to 4.0.19. The issue is caused by insufficient output escaping of imported snippet content embedded directly into JavaScript string literals within the jqueryUiDialog() method in WPEditor.php. The commented-out quote-escaping code and bypass of WordPress's wp_magic_quotes() during import allow double quotes in snippet content to break out of the JavaScript context. This enables authenticated administrators to inject and execute arbitrary scripts via a crafted import file when accessing the post editor page. Single-site installations are not impacted due to the unfiltered_html capability already granted to administrators.

An attacker with Administrator-level privileges can inject malicious JavaScript code via the import feature of the plugin. This code executes in the context of the post editor page for any administrator who opens it, potentially leading to session hijacking, privilege escalation, or other script-based attacks. The vulnerability does not affect confidentiality or availability directly but impacts integrity and user trust. Single-site WordPress installations are not affected due to existing capability restrictions.

Patch status is not yet confirmed — no official fix or patch links are provided. Administrators should avoid importing snippet content from untrusted sources until a vendor fix is released. Since the vulnerability requires Administrator-level access, restricting administrative privileges and monitoring import activities can reduce risk. Check the vendor advisory regularly for updates on official remediation or patches.