CVE-2026-24542 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WP Term Order plugin developed by John James Jacoby, specifically affecting versions up to and including 2.1.0. WP Term Order is a WordPress plugin that allows administrators to customize the order of taxonomy terms. The CSRF vulnerability arises because the plugin fails to properly verify the origin of requests that modify term order settings. This lack of verification enables an attacker to craft malicious web requests that, when visited by an authenticated WordPress user (typically an administrator or editor), can cause unintended changes to the term order configuration without the user's consent. The vulnerability has a CVSS 3.1 base score of 4.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) shows that the attack can be performed remotely over the network with low attack complexity, requires no privileges, but does require user interaction. The impact is limited to integrity, with no confidentiality or availability impact. No known exploits have been reported in the wild, and no patches have been officially released at the time of this report. The vulnerability is publicly disclosed and should be addressed promptly to prevent potential misuse.

For European organizations, the primary impact of this vulnerability is the potential unauthorized modification of taxonomy term orders within WordPress sites using the WP Term Order plugin. While this does not directly compromise sensitive data confidentiality or site availability, it can affect the integrity of website content presentation and navigation, potentially leading to user confusion, reputational damage, or indirect business impact. Organizations relying heavily on WordPress for content management, especially those with complex taxonomy structures or e-commerce sites, may experience operational disruptions or loss of trust if attackers manipulate term orders maliciously. Given that exploitation requires an authenticated user to interact with a malicious site, the risk is mitigated somewhat by user awareness and access controls. However, phishing or social engineering campaigns could increase the likelihood of exploitation. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

1. Monitor for and apply official patches or updates from the WP Term Order plugin developer as soon as they become available. 2. Implement anti-CSRF tokens in all forms and requests that modify term order settings to ensure request authenticity. 3. Restrict administrative and editor access to trusted users only, minimizing the number of accounts that can be targeted for CSRF attacks. 4. Educate users with elevated privileges about the risks of clicking on suspicious links or visiting untrusted websites while logged into WordPress. 5. Employ web application firewalls (WAFs) with rules designed to detect and block CSRF attack patterns targeting WordPress plugins. 6. Regularly audit WordPress plugins and remove or replace those that are outdated or no longer maintained. 7. Use security plugins that can detect unauthorized changes to taxonomy or content structures and alert administrators promptly.