{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1378", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-23T18:29:35.917Z", "datePublished": "2026-03-21T03:26:36.543Z", "dateUpdated": "2026-04-08T16:38:06.091Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:06.091Z"}, "affected": [{"vendor": "suifengtec", "product": "WP Posts Re-order", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `cpt_plugin_options()` function. This makes it possible for unauthenticated attackers to update the plugin settings including capability, autosort, and adminsort settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "WP Posts Re-order <= 1.0 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a79d08e-9429-4895-bc0c-cfaa8eb161d6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-posts-re-order/trunk/wp-posts-re-order.php#L572"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-posts-re-order/tags/1.0/wp-posts-re-order.php#L572"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-03-20T15:19:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:56:22.203489Z", "id": "CVE-2026-1378", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:09:14.591Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1378", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T14:56:22.203489Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:09:10.295Z"}}], "cna": {"title": "WP Posts Re-order <= 1.0 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "suifengtec", "product": "WP Posts Re-order", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:19:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a79d08e-9429-4895-bc0c-cfaa8eb161d6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-posts-re-order/trunk/wp-posts-re-order.php#L572"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-posts-re-order/tags/1.0/wp-posts-re-order.php#L572"}], "descriptions": [{"lang": "en", "value": "The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `cpt_plugin_options()` function. This makes it possible for unauthenticated attackers to update the plugin settings including capability, autosort, and adminsort settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:06.091Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1378", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:38:06.091Z", "dateReserved": "2026-01-23T18:29:35.917Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:36.543Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `cpt_plugin_options()` function. This makes it possible for unauthenticated attackers to update the plugin settings including capability, autosort, and adminsort settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin WP Posts Re-order para WordPress es vulnerable a falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.0, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n 'cpt_plugin_options()'. Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n del plugin, incluyendo la configuraci\u00f3n de capacidad, autoordenaci\u00f3n y ordenaci\u00f3n de administradores, a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1378", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:52.810", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-posts-re-order/tags/1.0/wp-posts-re-order.php#L572"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-posts-re-order/trunk/wp-posts-re-order.php#L572"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a79d08e-9429-4895-bc0c-cfaa8eb161d6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Posts Re-order", "source": "cna", "vendor": "suifengtec"}, "product": "wp_posts_re-order", "vendor": "suifengtec"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:27:59.430646+00:00", "value": {"mitigation_remediation": ["Update the WP Posts Re-order plugin to the latest version that includes nonce validation", "If a newer version is unavailable, consider removing the plugin from the site", "Verify that all administrative interfaces are protected behind strong authentication and that users are educated about phishing and CSRF risks"], "summary": {"action": "Patch immediately", "impact": "Unauthorized settings modification via CSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts sites running the suifengtec WP Posts Re-order WordPress plugin version 1.0 or earlier. Any WordPress installation that has this plugin installed and has not been updated beyond version 1.0 is affected.", "description_and_impact": "The WP Posts Re-order plugin, in all versions up to 1.0, fails to validate nonces in the cpt_plugin_options() function. This flaw allows an unauthenticated attacker to send a forged request that causes a logged\u2011in administrator to unknowingly submit form data, thereby changing plugin settings such as capability levels, autosort, and adminsort. The resulting unauthorized configuration changes can alter how content is sorted or displayed and may grant elevated privileges to the attacker. The weakness is a classic Cross\u2011Site Request Forgery (CWE\u2011352).", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity. Exploitation requires the attacker to lure an administrator into clicking a crafted link or submitting a form, a common social\u2011engineering tactic. Because the flaw is not tied to server\u2011side code execution, the risk is lower than RCE but still significant for sites that rely on the plugin\u2019s sorting behavior. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation but that it remains a viable threat. The likely attack vector is HTTP requests originating from an attacker\u2019s domain that trick a site administrator into executing the request."}}}}, "created": "2026-03-23T09:50:57.770712+00:00", "updated": "2026-03-25T14:42:32.573615+00:00", "vendors": ["suifengtec", "suifengtec$PRODUCT$wp_posts_re-order", "wordpress", "wordpress$PRODUCT$wordpress"]}