CVE-2026-1378 in WP Posts Re-order Plugin
Summary
by MITRE • 03/21/2026
The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `cpt_plugin_options()` function. This makes it possible for unauthenticated attackers to update the plugin settings including capability, autosort, and adminsort settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The WP Posts Re-order plugin vulnerability represents a critical cross-site request forgery weakness that affects all versions up to and including 1.0. This flaw resides in the plugin's `cpt_plugin_options()` function where proper nonce validation is completely absent. The vulnerability stems from the plugin's failure to implement adequate cryptographic token verification mechanisms that would normally prevent unauthorized modifications to plugin settings. Without these security checks, attackers can manipulate the plugin's configuration parameters through carefully crafted malicious requests.
The technical implementation of this vulnerability allows unauthenticated attackers to exploit the missing nonce validation by crafting specially designed requests that modify critical plugin settings. The affected parameters include capability settings that control user permissions, autosort configurations that automatically reorder posts, and adminsort parameters that influence administrative sorting behaviors. These settings are particularly dangerous because they can fundamentally alter how posts are displayed and managed within the WordPress environment, potentially creating backdoors or privilege escalation opportunities for malicious actors.
The operational impact of this vulnerability extends beyond simple configuration changes as it enables attackers to manipulate core content management behaviors. When an administrator unknowingly clicks on a malicious link or visits a compromised website, the forged request can execute without proper authentication, allowing attackers to modify plugin behaviors that affect content presentation and access controls. This creates a persistent threat vector that can remain active as long as the vulnerable plugin remains installed on the WordPress site. The vulnerability is particularly concerning because it requires no authentication from the attacker and only needs to trick an administrator into performing routine browsing activities.
From a cybersecurity perspective, this vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery issues in software applications. The flaw also maps to ATT&CK technique T1078.004 which covers valid accounts and T1547.001 which involves registry run keys. Organizations should immediately implement the recommended mitigation strategies including updating to the latest plugin version, implementing proper nonce validation, and educating administrators about the risks of clicking untrusted links. Additionally, network monitoring should be enhanced to detect suspicious requests targeting the vulnerable plugin endpoints, and security audits should verify that all WordPress plugins implement proper CSRF protection mechanisms to prevent similar vulnerabilities from emerging in other components of the web application stack.