Does My Post Order have any unpatched vulnerabilities?

Yes — My Post Order currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is My Post Order compatible with WordPress 3.5.2?

According to WordPress.org data, My Post Order 1.2.1.1 has been tested up to WordPress 3.5.2. Check the plugin's changelog for the latest compatibility information.

How often is My Post Order updated?

My Post Order was last updated on Jan 11, 2013. Frequent updates are generally a positive security signal.

What is My Post Order's security score?

My Post Order has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

My Post Order Security & Risk Analysis

wordpress.org/plugins/my-posts-order

A plugin which allows you to sort posts, pages, custom post type in ANY order and display the same in your sidebar.

400 active installs v1.2.1.1 PHP + WP 3.0+ Updated Jan 11, 2013

arrange-post-ordercustom-post-ordercustom-post-typepage-ordersort-post

C · Use Caution

CVEs total1

Unpatched1

Last CVEJan 19, 2026

Download

Safety Verdict

Is My Post Order Safe to Use in 2026?

Use With Caution

Score 63/100

My Post Order has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jan 19, 2026Updated 13yr ago

Risk Assessment

The "my-posts-order" plugin version 1.2.1.1 exhibits a concerning security posture due to a significant number of unprotected AJAX handlers and a history of vulnerabilities. While the plugin demonstrates some good practices like the use of prepared statements for the majority of its SQL queries and a non-existent external HTTP request surface, these strengths are overshadowed by critical weaknesses. The presence of 7 AJAX handlers with no authentication checks presents a wide attack surface, making it vulnerable to unauthorized actions. Furthermore, the taint analysis indicating flows with unsanitized paths, though not reaching critical or high severity, suggests potential injection risks that could be exploited.

The vulnerability history of this plugin is a major red flag. With one known medium-severity CVE that remains unpatched, and a recent vulnerability dated in the future (2026-01-19), it indicates a pattern of security flaws. The common vulnerability type being Cross-site Scripting further highlights the risks associated with improper input neutralization. The plugin's overall lack of capability checks and a single nonce check on entry points further exacerbates these risks, as it relies heavily on front-end validation or insufficient back-end security.

In conclusion, despite some positive aspects like structured SQL queries, the "my-posts-order" plugin version 1.2.1.1 has significant security deficiencies. The unprotected AJAX endpoints, the presence of unsanitized data flows, and the unpatched vulnerability create substantial risks. Users should be extremely cautious, and developers should prioritize addressing the numerous security concerns, particularly the unprotected entry points and the unpatched CVE.

Key Concerns

Unpatched CVE
7 unprotected AJAX handlers
Flows with unsanitized paths detected
Only 1 nonce check
0 capability checks
Only 8% output escaping
Dangerous function: unserialize

Vulnerabilities

My Post Order Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-68004medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

My Post Order <= 1.2.1.1 - Reflected Cross-Site Scripting

Jan 19, 2026Unpatched

Code Analysis

Analyzed Mar 16, 2026

My Post Order Code Analysis

Dangerous Functions

Raw SQL Queries

18 prepared

Unescaped Output

5 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$combined_value = unserialize($section_object->section_meta_value);includes\add_edit_criteria.php:28

unserialize$combined_value = unserialize($section_object->section_meta_value);includes\add_edit_criteria.php:39

unserializereturn (@unserialize($string) !== false);includes\functions.php:92

unserialize$combined_value = unserialize($section_data->section_meta_value);includes\functions.php:224

unserialize$combined_value = unserialize($section_data->section_meta_value);includes\functions.php:238

unserialize$combined_value = unserialize($section_data->section_meta_value);includes\widget.php:35

unserialize$combined_value = unserialize($section_data->section_meta_value);includes\widget.php:59

SQL Query Safety

90% prepared20 total queries

Output Escaping

8% escaped66 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

<drag_drop_criteria> (includes\drag_drop_criteria.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

7 unprotected

My Post Order Attack Surface

Entry Points7

Unprotected7

AJAX Handlers 7

authwp_ajax_search_postsincludes\functions.php:51

authwp_ajax_save_section_datamy-posts-order.php:54

authwp_ajax_add_edit_sectionmy-posts-order.php:63

authwp_ajax_edit_sectionmy-posts-order.php:73

authwp_ajax_delete_section_datamy-posts-order.php:82

authwp_ajax_get_content_typemy-posts-order.php:105

authwp_ajax_drag_drop_criteriamy-posts-order.php:114

WordPress Hooks 10

filterpre_get_postsincludes\functions.php:144

filterposts_requestincludes\functions.php:160

filterposts_orderbyincludes\functions.php:173

filterpost_limitsincludes\functions.php:188

filterposts_whereincludes\functions.php:207

actionwidgets_initincludes\widget.php:5

filterposts_orderbyincludes\widget.php:45

filterposts_orderbyincludes\widget.php:76

actionadmin_menumy-posts-order.php:37

filterplugin_action_linksmy-posts-order.php:92

Maintenance & Trust

My Post Order Maintenance & Trust

Maintenance Signals

WordPress version tested3.5.2

Last updatedJan 11, 2013

PHP min version

Downloads61K

Community Trust

Rating58/100

Number of ratings7

Active installs400

Alternatives

My Post Order Alternatives

Real Custom Post Order: Create a custom order for your content

real-custom-post-order

100

Custom post order for posts, pages, WooCommerce products and custom post types using drag and drop. Simple and intuitive sorting of your content!

9K No CVEs

Simple Custom Post Order

simple-custom-post-order

Easily reorder posts, pages, custom post types, and taxonomies with intuitive drag-and-drop sorting in the WordPress admin.

300K 1 CVE

Custom Category Post Order

custom-post-order-category

Order your post by category or custom post type by drag & drop interface.

500 1 CVE

Sortable Posts

sortable-posts

Sortable Posts is a small plugin for WordPress that adds sortability to post types and taxonomies from the admin panel.

100 No CVEs

All Round Order

all-round-order

Order all items(Pages, Posts, Custom Post Types and attachments) easily with a drag and drop feature

40 No CVEs

Developer Profile

My Post Order Developer Profile

Kapil Chugh

3 plugins · 1K total installs

trust score

Avg Security Score

78/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect My Post Order

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/my-posts-order/my_posts_order.js/wp-content/plugins/my-posts-order/jquery.tablednd.js/wp-content/plugins/my-posts-order/theme-editor.css

Script Paths

my_posts_order.jsjquery.tablednd.js

Version Parameters

my-posts-order/my_posts_order.js?ver=1.0

HTML / DOM Fingerprints

Data Attributes

data-section_identifier

JS Globals

MPO_IMAGES_PATH

REST Endpoints

/wp-json/my-posts-order/v1/sections

FAQ