Plateforme
wordpress
Composant
wp-term-order
Corrigé dans
2.2.0
CVE-2026-24542 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WP Term Order WordPress plugin. This flaw allows an attacker to perform unauthorized actions on a user's behalf, potentially modifying term order settings. The vulnerability affects versions from 0.0.0 through 2.1.0, and a patch is available in version 2.2.0.
A successful CSRF attack could allow an attacker to maliciously alter the order of terms within WordPress custom taxonomies. This could disrupt website functionality, change content organization, or even be used as a stepping stone for further attacks if other vulnerabilities exist. The attacker would need to trick a legitimate user into visiting a malicious webpage crafted to exploit the vulnerability. While the direct impact might seem limited to term order, the potential for cascading effects and manipulation of website content should be considered.
This vulnerability was publicly disclosed on January 23, 2026. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's impact is considered medium, and it is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed.
Websites using the WP Term Order plugin, particularly those with custom taxonomies and user roles with the ability to modify term order, are at risk. Shared hosting environments where plugin updates are not consistently managed are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wp_term_order_reorder_terms' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=inactive | grep wp-term-order• wordpress / composer / npm:
wp plugin list | grep wp-term-orderdisclosure
Statut de l'Exploit
EPSS
0.01% (percentile 0%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade the WP Term Order plugin to version 2.2.0 or later, which contains the fix. If immediate upgrading is not possible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the browser can load resources. Additionally, using a WordPress security plugin with CSRF protection can provide an extra layer of defense. Regularly review user activity logs for suspicious requests.
Mettre à jour vers la version 2.2.0, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-24542 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Term Order WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using WP Term Order versions 0.0.0 through 2.1.0. Upgrade to 2.2.0 or later to mitigate the risk.
Upgrade the WP Term Order plugin to version 2.2.0 or later. Consider implementing a Content Security Policy (CSP) as an additional precaution.
Active exploitation is not currently confirmed, but it's crucial to apply the patch to prevent potential attacks.
Refer to the WP Term Order plugin's official website or WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.