Does WP Order By have any unpatched vulnerabilities?

Yes — WP Order By currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP Order By compatible with WordPress 4.5.33?

According to WordPress.org data, WP Order By 1.4.2 has been tested up to WordPress 4.5.33. Check the plugin's changelog for the latest compatibility information.

How often is WP Order By updated?

WP Order By was last updated on Apr 27, 2016. Frequent updates are generally a positive security signal.

What is WP Order By's security score?

WP Order By has a WP-Safety security score of 64/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Order By Security & Risk Analysis

wordpress.org/plugins/wp-order-by

Simple and easy way to order your posts, pages or any other custom post-type in a various options.

90 active installs v1.4.2 PHP + WP 4.1+ Updated Apr 27, 2016

content-orderingorder-byorder-pagesorder-post-typeorder-posts

C · Use Caution

CVEs total1

Unpatched1

Last CVEJan 14, 2025

Plugin page Download

Safety Verdict

Is WP Order By Safe to Use in 2026?

Use With Caution

Score 64/100

WP Order By has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jan 14, 2025Updated 9yr ago

Risk Assessment

The "wp-order-by" v1.4.2 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by having no known dangerous functions, no file operations, no external HTTP requests, and all SQL queries utilizing prepared statements. The presence of capability checks is also a good sign. However, a significant concern arises from the output escaping analysis, where 0% of the 22 total outputs are properly escaped. This indicates a high likelihood of Cross-Site Scripting (XSS) vulnerabilities, especially given the plugin's history of XSS-related CVEs.

The taint analysis, while showing a low number of flows, reveals that all analyzed flows have unsanitized paths. While no critical or high severity taint flows were identified, the presence of unsanitized paths is a precursor to potential vulnerabilities. The vulnerability history further amplifies these concerns, with one unpatched medium severity CVE directly related to XSS. The fact that the last vulnerability was in 2025 suggests a recent or ongoing security issue.

In conclusion, while the plugin has strengths in its handling of database queries and its limited attack surface, the pervasive lack of output escaping and the history of XSS vulnerabilities present a significant risk. The unpatched CVE and the taint analysis findings necessitate immediate attention to mitigate potential security breaches.

Key Concerns

Unpatched CVE (medium severity)
All analyzed taint flows have unsanitized paths
0% of outputs properly escaped

Vulnerabilities

WP Order By Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-22765medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Order By <= 1.4.2 - Reflected Cross-Site Scripting

Jan 14, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

WP Order By Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

0% escaped22 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths

wpob_draw_settings (admin-options.php:292)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Order By Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 10

actionadmin_initadmin-options.php:10

actionadmin_initadmin-options.php:11

actionadmin_enqueue_scriptsadmin-options.php:12

actionadmin_menuadmin-options.php:15

actionadmin_initadmin-options.php:16

actionadmin_initadmin-options.php:17

actioninitadmin-options.php:19

actionadmin_menuadmin-options.php:23

actionpre_get_postsadmin-options.php:355

filterget_meta_sqladmin-options.php:457

Maintenance & Trust

WP Order By Maintenance & Trust

Maintenance Signals

WordPress version tested4.5.33

Last updatedApr 27, 2016

PHP min version

Downloads5K

Community Trust

Rating100/100

Number of ratings7

Active installs90

Alternatives

WP Order By Alternatives

Intuitive Custom Post Order

intuitive-custom-post-order

Intuitively reorder Posts, Pages, Custom Post Types, Taxonomies, and Sites with a simple drag-and-drop interface.

400K 4 CVEs

Simple Custom Post Order

simple-custom-post-order

Easily reorder posts, pages, custom post types, and taxonomies with intuitive drag-and-drop sorting in the WordPress admin.

300K 1 CVE

Reorder Posts

metronet-reorder-posts

100

A simple and easy way to reorder your custom post types in WordPress.

10K No CVEs

ReOrder Posts within Categories

reorder-post-within-categories

Enables manual ranking of post (and custom post) within taxonomy terms using a drag & drop grid interface.

7K No CVEs

Reorder by Term

reorder-by-term

100

A simple and easy way to reorder your custom post types within terms in WordPress.

1K No CVEs

Developer Profile

WP Order By Developer Profile

weiluri

2 plugins · 190 total installs

trust score

Avg Security Score

75/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WP Order By

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-order-by/css/wpob.css/wp-content/plugins/wp-order-by/js/wpob.js

Script Paths

/wp-content/plugins/wp-order-by/js/wpob.js

Version Parameters

wp-order-by/css/wpob.css?ver=wp-order-by/js/wpob.js?ver=

HTML / DOM Fingerprints

CSS Classes

posts_select_box

Data Attributes

wpob-exclude-posts

FAQ