Platform
wordpress
Component
wp-posts-re-order
Fixed in
1.0.1
CVE-2026-1378 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Posts Re-order plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings, potentially impacting site functionality and administrator privileges. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is pending release from the plugin developer.
An attacker exploiting this CSRF vulnerability can leverage a forged request to modify critical plugin settings within the WordPress environment. Specifically, they can alter capability, autosort, and adminsort configurations. Successful exploitation could lead to unauthorized changes in post ordering, potentially disrupting content management workflows. While the vulnerability doesn't directly expose sensitive data, it can be used to gain control over plugin behavior and potentially escalate privileges if combined with other vulnerabilities. This vulnerability is similar to other CSRF flaws where user interaction (clicking a malicious link) is required for exploitation.
CVE-2026-1378 was publicly disclosed on 2026-03-21. As of this date, there are no known public proof-of-concept exploits available. The EPSS score is likely low to medium, reflecting the requirement for user interaction (a site administrator clicking a malicious link) to trigger the vulnerability. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1378 is to upgrade to a patched version of the WP Posts Re-order plugin as soon as it becomes available. Until a fix is released, implement temporary workarounds to reduce the risk. Consider using a WordPress security plugin with CSRF protection features, which can add nonce validation to plugin settings pages. Additionally, restrict access to plugin settings pages to authorized administrators only. Monitor WordPress access logs for suspicious requests targeting the cptpluginoptions() function. After upgrading, verify the plugin settings have not been altered by reviewing the configuration.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1378 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Posts Re-order WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the WP Posts Re-order plugin in versions 1.0.0 through 1.0. Check your plugin versions and upgrade when a fix is available.
Upgrade to the latest version of the WP Posts Re-order plugin as soon as a patched version is released. Until then, implement workarounds like using a security plugin with CSRF protection.
As of the disclosure date, there are no confirmed reports of active exploitation, but the vulnerability remains present in unpatched installations.
Refer to the plugin developer's website or the WordPress plugin repository for updates and advisories related to CVE-2026-1378.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.