CVE-2025-32645: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in Hiren Patel Custom Posts Order plugin through version 4.4, which allows Stored Cross-Site Scripting (XSS) attacks. The vulnerability was disclosed on April 9, 2025, and affects all versions of Custom Posts Order up to and including version 4.4 (NVD, Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and allows unauthenticated attackers to perform CSRF attacks that can lead to stored XSS (NVD).

The vulnerability allows malicious actors to force higher privileged users to execute unwanted actions under their current authentication. This can potentially lead to stored cross-site scripting attacks, which could be used against high-privilege users such as administrators (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The recommended mitigation is to remove and replace the software with an alternative solution, as the plugin is considered abandoned and unlikely to receive further updates or security fixes (Patchstack).