The WP Posts Re-order plugin, in all versions up to 1.0, fails to validate nonces in the cpt_plugin_options() function. This flaw allows an unauthenticated attacker to send a forged request that causes a logged‑in administrator to unknowingly submit form data, thereby changing plugin settings such as capability levels, autosort, and adminsort. The resulting unauthorized configuration changes can alter how content is sorted or displayed and may grant elevated privileges to the attacker. The weakness is a classic Cross‑Site Request Forgery (CWE‑352).

The vulnerability impacts sites running the suifengtec WP Posts Re-order WordPress plugin version 1.0 or earlier. Any WordPress installation that has this plugin installed and has not been updated beyond version 1.0 is affected.

The CVSS score of 4.3 indicates a moderate severity. Exploitation requires the attacker to lure an administrator into clicking a crafted link or submitting a form, a common social‑engineering tactic. Because the flaw is not tied to server‑side code execution, the risk is lower than RCE but still significant for sites that rely on the plugin’s sorting behavior. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation but that it remains a viable threat. The likely attack vector is HTTP requests originating from an attacker’s domain that trick a site administrator into executing the request.