CVE-2025-26759

CVE-2025-26759 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the alexvtn Content Snippet Manager WordPress plugin (content-snippet-manager). It affects all versions from n/a through 1.1.5 and enables Stored XSS execution. The issue has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.

Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L), provided they induce user interaction (UI:R), such as tricking an authenticated WordPress user—likely an administrator or editor with snippet management privileges—into visiting a malicious site or clicking a forged link. This triggers a CSRF request that injects malicious payloads, resulting in stored XSS. The stored script executes in the context of the WordPress site for subsequent visitors, achieving low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) with changed scope (S:C), potentially leading to session hijacking, data theft, or further site compromise.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/content-snippet-manager/vulnerability/wordpress-content-snippet-manager-plugin-1-1-5-csrf-to-stored-xss-vulnerability?_s_id=cve details the CSRF-to-Stored XSS vulnerability in version 1.1.5 and recommends updating to a patched version beyond 1.1.5 as the primary mitigation.