CVE-2026-24567

The Anything Order by Terms plugin for WordPress (versions up to and including 1.4.0) contains a missing authorization vulnerability. The plugin fails to properly check access control security levels, meaning functions that should require higher privileges are accessible without proper authentication or nonce validation [1].

This broken access control issue can be exploited by any unauthenticated visitor to the site. Attackers do not need any special privileges or network position; they can simply send crafted requests to the vulnerable endpoints. The vulnerability is particularly dangerous because it is used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Successful exploitation allows an unprivileged attacker to execute actions that should be reserved for higher-privileged users, such as administrators. This could lead to unauthorized modification of plugin settings, data exposure, or other unintended operations depending on the specific missing authorization checks [1].

As an immediate mitigation, users should update the Anything Order by Terms plugin to a patched version (if available) or remove it entirely. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended [1].