Platform
wordpress
Component
wp-term-order
Fixed in
2.2.0
CVE-2026-24542 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WP Term Order WordPress plugin. This flaw allows an attacker to perform unauthorized actions on a user's behalf, potentially modifying term order settings. The vulnerability affects versions from 0.0.0 through 2.1.0, and a patch is available in version 2.2.0.
A successful CSRF attack could allow an attacker to maliciously alter the order of terms within WordPress custom taxonomies. This could disrupt website functionality, change content organization, or even be used as a stepping stone for further attacks if other vulnerabilities exist. The attacker would need to trick a legitimate user into visiting a malicious webpage crafted to exploit the vulnerability. While the direct impact might seem limited to term order, the potential for cascading effects and manipulation of website content should be considered.
This vulnerability was publicly disclosed on January 23, 2026. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's impact is considered medium, and it is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the WP Term Order plugin to version 2.2.0 or later, which contains the fix. If immediate upgrading is not possible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the browser can load resources. Additionally, using a WordPress security plugin with CSRF protection can provide an extra layer of defense. Regularly review user activity logs for suspicious requests.
Update to version 2.2.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24542 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Term Order WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using WP Term Order versions 0.0.0 through 2.1.0. Upgrade to 2.2.0 or later to mitigate the risk.
Upgrade the WP Term Order plugin to version 2.2.0 or later. Consider implementing a Content Security Policy (CSP) as an additional precaution.
Active exploitation is not currently confirmed, but it's crucial to apply the patch to prevent potential attacks.
Refer to the WP Term Order plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.