CVE-2022-29436: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2022-29436) affects Alexander Stokmann's Code Snippets Extended WordPress plugin versions up to and including 1.4.7. It combines a Persistent Cross-Site Scripting (XSS) vulnerability with a Cross-Site Request Forgery (CSRF) issue, specifically involving vulnerable parameters &title and &snippet_code. The vulnerability was discovered and disclosed on May 17, 2022 (NVD, Patchstack).

The vulnerability stems from the lack of CSRF protection when creating or editing snippets, combined with insufficient sanitization and escaping in certain fields. The CVSS v3.1 base score is 6.1 (Medium) according to NVD's assessment (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), while Patchstack rates it at 4.7 (Medium). The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability could allow attackers to make a logged-in administrator create or edit arbitrary snippets and insert XSS payloads into them. This creates a persistent security risk as the malicious code would remain in the system until manually removed (WPScan).

As of May 17, 2022, the plugin has been closed due to this security issue and is no longer available for download from the WordPress plugin repository. No official fix has been released (WordPress).