CVE-2026-24542
Description
Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Term Order wp-term-order allows Cross Site Request Forgery.This issue affects WP Term Order: from n/a through <= 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in WP Term Order plugin up to 2.1.0 allows attackers to force privileged users to perform unintended actions via crafted requests.
The vulnerability is a Cross-Site Request Forgery (CSRF) issue in the WP Term Order plugin for WordPress, affecting versions up to and including 2.1.0 [1]. This arises because the plugin fails to properly validate or include a nonce or token in sensitive actions, allowing an attacker to craft malicious requests.
Exploitation requires social engineering: an attacker must trick a privileged user (such as an administrator) into clicking a malicious link, visiting a crafted page, or submitting a form while authenticated to the WordPress site [1]. No direct authentication is needed from the attacker, but user interaction is required.
If successful, the CSRF vulnerability could allow the attacker to force the victim to perform unintended actions under their current session, such as modifying term orders or other plugin settings [1]. The impact is considered low severity, but such vulnerabilities are often used in mass exploitation campaigns against WordPress sites.
The issue has been patched in version 2.2.0 of the WP Term Order plugin [1]. Users are strongly advised to update immediately. For Patchstack users, enabling auto-update for vulnerable plugins is recommended [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.