Title: Security vulnerability? Last modified: January 27, 2026 --- # Security vulnerability? * [scmsteve](https://wordpress.org/support/users/scmsteve/) * (@scmsteve) * [2 months, 2 weeks ago](https://wordpress.org/support/topic/security-vulnerability-211/) * Jetpack has flagged this as having a security vulnerability, no details about exactly what it is. * Any chance it can be patched? This seems very dormant. * UPDATE: I had an AI security vulnerability run on it: * Security Issue Fixed: CSRF (Cross-Site Request Forgery) * Severity: HIGH * Vulnerability: The AJAX endpoint ajax_reordering_terms() had no nonce verification. An attacker could craft a malicious webpage that, when visitedby a logged-in WordPress admin, would silently reorder taxonomy terms withouttheir knowledge or consent. * Changes Made: 1. scm-wp-term-order.php – Added nonce generation (line 271-274): wp_localize_script(‘ term-order-reorder’, ‘termOrderData’, array(‘nonce’ => wp_create_nonce( ‘term_order_reorder’),)); 2. scm-wp-term-order.php – Added nonce verification in AJAX handler (line 999-1002): if ( ! isset( $_POST[‘nonce’] ) || ! wp_verify_nonce( $_POST[‘nonce’],‘term_order_reorder’)){ die( -1 );} 3. js/reorder.js – Added nonce to both AJAX requests (lines 113, 186): nonce: termOrderData. nonce 4. Additional hardening – Output escaping: * - Added esc_html() to column value output (line 435) - Added esc_attr() to form field value output (line 681) The plugin now properly validates that AJAX requests originate from legitimate WordPress admin sessions, preventing CSRF attacks. * - This topic was modified 2 months, 2 weeks ago by [scmsteve](https://wordpress.org/support/users/scmsteve/). Reason: Update with security info Viewing 1 replies (of 1 total) * [leanderbraunschweig](https://wordpress.org/support/users/leanderbraunschweig/) * (@leanderbraunschweig) * [3 weeks, 2 days ago](https://wordpress.org/support/topic/security-vulnerability-211/#post-18863490) * Seems to have been fixed in Version 2.2.0. Viewing 1 replies (of 1 total) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fsecurity-vulnerability-211%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. * ![](https://ps.w.org/wp-term-order/assets/icon-256x256.png?rev=1267653) * [WP Term Order](https://wordpress.org/plugins/wp-term-order/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-term-order/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-term-order/) * [Active Topics](https://wordpress.org/support/plugin/wp-term-order/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-term-order/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-term-order/reviews/) * 2 replies * 2 participants * Last reply from: [leanderbraunschweig](https://wordpress.org/support/users/leanderbraunschweig/) * Last activity: [3 weeks, 2 days ago](https://wordpress.org/support/topic/security-vulnerability-211/#post-18863490) * Status: not resolved