The Intuitive Custom Post Order WordPress plugin before 3.1.4 lacks CSRF protection in its update-menu-order ajax action, allowing an attacker to trick any user to change the menu order via a CSRF attack
[
{
"vendor": "Unknown",
"product": "Intuitive Custom Post Order",
"versions": [
{
"status": "affected",
"versionType": "custom",
"version": "0",
"lessThan": "3.1.4"
}
],
"defaultStatus": "unaffected",
"collectionURL": "https://wordpress.org/plugins"
}
]