Description
Cross-Site Request Forgery (CSRF) vulnerability in Hiren Patel Custom Posts Order custom-posts-order allows Stored XSS.This issue affects Custom Posts Order: from n/a through <= 4.4.
Published: 2025-04-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to perform a Cross‑Site Request Forgery attack that results in stored malicious JavaScript code being inserted into the Custom Posts Order plugin settings. Once stored, the script executes in the browsers of any user who views the affected content, enabling theft of session data, defacement, or further attacks. The weakness is a classic CSRF flaw that leads to persistent XSS.

Affected Systems

WordPress sites that use the Custom Posts Order plugin by Hiren Patel, version 4.4 or older. All installations with a user role that can alter the plugin settings are potentially exposed.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate severity, while the EPSS of <1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a logged‑in user with permission to modify plugin configuration; an attacker can craft a malicious request that tricks the user into submitting it, after which the injected script will run in subsequent visits by other users. No public exploit details are disclosed, but the attack path is clear from the description.

Generated by OpenCVE AI on May 1, 2026 at 00:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of Custom Posts Order, which removes the CSRF flaw and stops the potential for stored XSS.
  • If an upgrade cannot be applied immediately, limit access to the plugin’s configuration screens to administrators only, removing editing rights for other user roles.
  • Implement WordPress nonces on all forms that change plugin settings and verify them before processing to block CSRF attempts.
  • Temporarily disable the feature that allows order changes via POST requests until a secure patch is deployed.

Generated by OpenCVE AI on May 1, 2026 at 00:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10585 Cross-Site Request Forgery (CSRF) vulnerability in Hiren Patel Custom Posts Order allows Stored XSS. This issue affects Custom Posts Order: from n/a through 4.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Hiren Patel Custom Posts Order allows Stored XSS. This issue affects Custom Posts Order: from n/a through 4.4. Cross-Site Request Forgery (CSRF) vulnerability in Hiren Patel Custom Posts Order custom-posts-order allows Stored XSS.This issue affects Custom Posts Order: from n/a through <= 4.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 09 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 09 Apr 2025 16:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Hiren Patel Custom Posts Order allows Stored XSS. This issue affects Custom Posts Order: from n/a through 4.4.
Title WordPress Custom Posts Order Plugin <= 4.4 - CSRF to Stored Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:26.567Z

Reserved: 2025-04-09T11:20:57.810Z

Link: CVE-2025-32645

cve-icon Vulnrichment

Updated: 2025-04-09T18:52:21.748Z

cve-icon NVD

Status : Deferred

Published: 2025-04-09T17:15:50.120

Modified: 2026-06-17T09:12:21.267

Link: CVE-2025-32645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:15:04Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)