WP-Safety

MDTF – Meta Data and Taxonomies Filter Security & Risk Analysis

wordpress.org/plugins/wp-meta-data-filter-and-taxonomy-filter

The main idea of the plugin – make your WordPress site content is filterable and searchable by meta fields and taxonomies on the same time.

1K active installs v1.3.6 PHP 7.2+ WP 4.1.0+ Updated Mar 2, 2026
filtermeta-filterproducts-filtertaxonomies-filterwoocommerce
40
D · High Risk
CVEs total19
Unpatched1
Last CVEOct 24, 2025
Plugin page Download
Safety Verdict

Is MDTF – Meta Data and Taxonomies Filter Safe to Use in 2026?

High Risk

Score 40/100

MDTF – Meta Data and Taxonomies Filter carries significant security risk with 19 known CVEs, 1 still unpatched. Consider switching to a maintained alternative.

19 known CVEs 1 unpatched Last CVE: Oct 24, 2025Updated 1mo ago
Risk Assessment

The "wp-meta-data-filter-and-taxonomy-filter" plugin v1.3.6 presents a mixed security posture with some concerning aspects despite a generally good handling of output escaping and prepared statements. The static analysis reveals a substantial attack surface, with 25 out of 47 entry points lacking proper authorization checks. This is a significant concern, as it could allow unauthenticated users to trigger potentially sensitive actions. While the taint analysis did not reveal any critical or high-severity vulnerabilities, the presence of 7 flows with unsanitized paths warrants attention, as these could be vectors for vulnerabilities if exploited in conjunction with other weaknesses. The plugin's vulnerability history is particularly alarming, with a total of 19 known CVEs, including 2 critical and 4 high-severity vulnerabilities. The fact that one critical vulnerability remains unpatched is a severe risk. Common vulnerability types like XSS, Code Injection, SQL Injection, Missing Authorization, and CSRF in its history suggest recurring insecure coding practices that attackers have successfully exploited in the past.

Overall, the plugin exhibits a concerning pattern of past exploitable vulnerabilities, and the current version still has a significant number of unprotected entry points. While the code shows strengths in output escaping and the use of prepared statements for most SQL queries, the high number of unprotected AJAX handlers and the presence of unpatched historical vulnerabilities significantly elevate the risk. Users should exercise extreme caution, prioritize patching any known vulnerabilities, and ideally seek an updated version of the plugin that addresses these security deficiencies.

Key Concerns

  • Unpatched critical CVE
  • High number of unprotected AJAX handlers
  • Flows with unsanitized paths (7 total)
  • Missing authorization checks on AJAX handlers (25)
  • Vulnerability history indicates recurring insecure practices
  • Multiple high severity historical CVEs
  • Total of 19 known CVEs historically
Vulnerabilities
19

MDTF – Meta Data and Taxonomies Filter Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
2 CVEs in 2023
2023
10 CVEs in 2024
2024
6 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Critical
2
High
4
Medium
13

19 total CVEs

CVE-2025-49907medium · 4.3Missing Authorization

MDTF <= 1.3.3.9 - Missing Authorization

Oct 24, 2025 Patched in 1.3.4 (6d)
CVE-2025-62069medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MDTF <= 1.3.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 16, 2025 Patched in 1.3.3.9 (7d)
CVE-2025-62964medium · 5.3Missing Authorization

MDTF <= 1.3.4 - Missing Authorization

Oct 16, 2025Unpatched
CVE-2025-54707high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

MDTF <= 1.3.3.7 - Unauthenticated SQL Injection

Aug 18, 2025 Patched in 1.3.3.8 (8d)
CVE-2024-13340medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MDTF – Meta Data and Taxonomies Filter <= 1.3.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 22, 2025 Patched in 1.3.3.7 (1d)
CVE-2024-12030medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

MDTF – Meta Data and Taxonomies Filter <= 1.3.3.5 - Authenticated (Contributor+) SQL Injection

Jan 7, 2025 Patched in 1.3.3.6 (1d)
CVE-2024-50450high · 7.3Improper Control of Generation of Code ('Code Injection')

WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.3.4 - Unauthenticated Arbitrary Shortcode Execution

Oct 24, 2024 Patched in 1.3.3.5 (7d)
CVE-2024-50451medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 24, 2024 Patched in 1.3.3.5 (7d)
CVE-2024-8624critical · 9.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

MDTF – Meta Data and Taxonomies Filter <= 1.3.3.3 - Authenticated (Contributor+) SQL Injection

Sep 23, 2024 Patched in 1.3.3.4 (1d)
CVE-2024-8623high · 7.3Improper Control of Generation of Code ('Code Injection')

MDTF – Meta Data and Taxonomies Filter <= 1.3.3.3 - Unauthenticated Arbitrary Shortcode Execution

Sep 23, 2024 Patched in 1.3.3.4 (1d)
CVE-2024-34434critical · 9.1Improper Control of Generation of Code ('Code Injection')

WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.3.2 - Unauthenticated Arbitrary Shortcode Execution

May 3, 2024 Patched in 1.3.3.3 (5d)
CVE-2024-32818medium · 4.3Missing Authorization

WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.3 - Missing Authorization

Apr 22, 2024 Patched in 1.3.3.1 (8d)
CVE-2024-30457medium · 4.3Cross-Site Request Forgery (CSRF)

WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.3.1 - Cross-Site Request Forgery

Mar 28, 2024 Patched in 1.3.3.2 (7d)
CVE-2024-29763medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Mar 25, 2024 Patched in 1.3.3.1 (8d)
CVE-2024-29906medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 25, 2024 Patched in 1.3.3 (8d)
CVE-2024-29932medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 25, 2024 Patched in 1.3.3 (8d)
CVE-2023-28664medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MDTF – Meta Data and Taxonomies Filter <= 1.3.0.1 - Relected Cross-Site Scripting via 'tax_name'

Mar 20, 2023 Patched in 1.3.1 (309d)
WF-7a5ab5f1-db14-4448-9186-35a5f382cd1a-wp-meta-data-filter-and-taxonomy-filtermedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MDTF – Meta Data and Taxonomies Filter <= 1.3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 4, 2023 Patched in 1.3.1 (384d)
CVE-2021-20781high · 8.8Cross-Site Request Forgery (CSRF)

Meta Data Filter & Taxonomies Filter <= 1.2.7.2 - Cross-Site Request Forgery

Jul 14, 2021 Patched in 2.2.8 (923d)
Code Analysis
Analyzed Mar 16, 2026

MDTF – Meta Data and Taxonomies Filter Code Analysis

Dangerous Functions
0
Raw SQL Queries
10
30 prepared
Unescaped Output
186
2333 escaped
Nonce Checks
7
Capability Checks
6
File Operations
4
External Requests
0
Bundled Libraries
1

Bundled Libraries

jQuery

SQL Query Safety

75% prepared40 total queries

Output Escaping

93% escaped2519 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

13 flows7 with unsanitized paths
encode_search_get_params (classes\page.php:145)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
25 unprotected

MDTF – Meta Data and Taxonomies Filter Attack Surface

Entry Points47
Unprotected25

AJAX Handlers 30

authwp_ajax_meta_data_filter_add_item_to_data_groupclasses\html.php:10
authwp_ajax_meta_data_filter_get_data_group_topage_itemsclasses\page.php:10
authwp_ajax_mdf_encode_search_get_paramsclasses\page.php:11
noprivwp_ajax_mdf_encode_search_get_paramsclasses\page.php:12
authwp_ajax_mdf_get_ajax_auto_recount_dataclasses\page.php:14
noprivwp_ajax_mdf_get_ajax_auto_recount_dataclasses\page.php:15
authwp_ajax_mdf_draw_shortcode_html_itemsclasses\shortcodes.php:67
authwp_ajax_mdf_search_button_get_contentclasses\shortcodes.php:72
noprivwp_ajax_mdf_search_button_get_contentclasses\shortcodes.php:73
authwp_ajax_mdf_search_panelclasses\shortcodes.php:74
noprivwp_ajax_mdf_search_panelclasses\shortcodes.php:75
authwp_ajax_mdf_posts_messenger_add_subscrext\mdf_posts_messenger\mdf_posts_messenger.php:50
noprivwp_ajax_mdf_posts_messenger_add_subscrext\mdf_posts_messenger\mdf_posts_messenger.php:51
authwp_ajax_mdf_posts_messenger_remove_subscrext\mdf_posts_messenger\mdf_posts_messenger.php:52
noprivwp_ajax_mdf_posts_messenger_remove_subscrext\mdf_posts_messenger\mdf_posts_messenger.php:53
authwp_ajax_mdf_get_operative_tablesext\mdf_stat\index.php:119
authwp_ajax_mdf_get_stat_dataext\mdf_stat\index.php:120
authwp_ajax_mdf_get_top_termsext\mdf_stat\index.php:121
authwp_ajax_mdf_stat_check_connectionext\mdf_stat\index.php:122
authwp_ajax_draw_mdf_taxmeta_varext\mdf_stat\index.php:123
noprivwp_ajax_draw_mdf_taxmeta_varext\mdf_stat\index.php:124
authwp_ajax_mdf_util_term_to_metaext\utilities.php:7
authwp_ajax_meta_data_filter_set_sequenceindex.php:165
authwp_ajax_mdf_get_tax_options_in_widgetindex.php:166
authwp_ajax_mdf_change_meta_keyindex.php:167
authwp_ajax_mdf_add_filter_item_to_widgetindex.php:168
authwp_ajax_mdf_cache_count_data_clearindex.php:169
authwp_ajax_mdf_cache_terms_data_clearindex.php:170
authwp_ajax_mdf_draw_term_childsindex.php:172
noprivwp_ajax_mdf_draw_term_childsindex.php:173

Shortcodes 17

[meta_data_filter_results] classes\shortcodes.php:48
[mdf_search_form] classes\shortcodes.php:49
[mdf_search_button] classes\shortcodes.php:50
[mdf_force_searching] classes\shortcodes.php:51
[mdf_value] classes\shortcodes.php:52
[mdf_select_title] classes\shortcodes.php:53
[mdf_post_features_panel] classes\shortcodes.php:54
[mdf_results_tax_navigation] classes\shortcodes.php:55
[mdf_results_by_ajax] classes\shortcodes.php:56
[mdf_range_select] classes\shortcodes.php:57
[mdf_search_panel] classes\shortcodes.php:58
[mdf_products] classes\shortcodes.php:60
[mdf_custom] classes\shortcodes.php:61
[mdf_gmap] ext\gmap.php:10
[mdf_gmap_const] ext\gmap.php:11
[mdf_posts_messenger] ext\mdf_posts_messenger\mdf_posts_messenger.php:56
[mdf_sort_panel] ext\sort_panel.php:46
WordPress Hooks 68
actionadmin_initclasses\shortcodes.php:45
actionload-post.phpclasses\shortcodes.php:62
actionload-post-new.phpclasses\shortcodes.php:63
actionsave_postclasses\shortcodes.php:64
actionwoocommerce_before_shop_loopclasses\shortcodes.php:69
actionwoocommerce_after_shop_loopclasses\shortcodes.php:70
filterpost_classclasses\shortcodes.php:659
actionadmin_footerclasses\widgets.php:14
filterthe_titleext\completeyourcar.php:8
actionwoocommerce_short_descriptionext\completeyourcar.php:9
actionadmin_initext\const_links.php:43
actionsave_postext\const_links.php:44
actionwp_headext\gmap.php:9
actionadmin_initext\marketing.php:73
actionadmin_menuext\marketing.php:74
actionsave_postext\marketing.php:75
filterparse_queryext\marketing.php:78
actionrestrict_manage_postsext\marketing.php:79
actionmdf_posts_messenger_cronext\mdf_posts_messenger\mdf_posts_messenger.php:45
actionwp_footerext\mdf_posts_messenger\mdf_posts_messenger.php:58
filtermeta_data_filter_argsext\mdf_posts_messenger\mdf_posts_messenger.php:60
filtermdf_filter_arg_pageext\mdf_posts_messenger\mdf_posts_messenger.php:61
actioninitext\mdf_posts_messenger\mdf_posts_messenger.php:63
actioninitext\mdf_posts_messenger\mdf_posts_messenger.php:268
filtermeta_data_filter_argsext\mdf_stat\index.php:87
actionmdf_stat_wpcronext\mdf_stat\index.php:110
actionmdf_print_applications_tabs_content_statext\mdf_stat\index.php:594
actioninitext\mdf_stat\index.php:1274
actionadmin_menuext\mdtf-pagination\tw-pagination.php:28
actionwp_print_stylesext\mdtf-pagination\tw-pagination.php:31
actionadmin_initext\sort_panel.php:42
actionsave_postext\sort_panel.php:43
actionwoocommerce_before_shop_loopext\sort_panel.php:45
actionbefore_woocommerce_initindex.php:24
actionadmin_initindex.php:134
actionadmin_menuindex.php:135
actionsave_postindex.php:136
actionedit_attachmentindex.php:137
actionwp_headindex.php:146
actionwp_footerindex.php:147
actionadmin_headindex.php:148
actionrestrict_manage_postsindex.php:156
filterparse_queryindex.php:157
actionpre_get_postsindex.php:158
actionload-edit.phpindex.php:162
filtermdf_filter_taxonomiesindex.php:175
filtermdf_filter_taxonomies2index.php:176
filtermeta_data_filter_argsindex.php:178
filterwidget_textindex.php:180
filterthe_titleindex.php:181
filterthe_contentindex.php:182
filterposts_whereindex.php:184
filterposts_whereindex.php:185
filterposts_whereindex.php:186
filterposts_whereindex.php:187
filterposts_whereindex.php:188
filterposts_whereindex.php:189
actionbody_classindex.php:191
filteressgrid_modify_postsindex.php:195
actionwoocommerce_before_shop_loopindex.php:198
filtercron_schedulesindex.php:200
actionmdtf_cache_count_data_auto_cleanindex.php:203
actionmdtf_cache_terms_data_auto_cleanindex.php:211
actionadmin_noticesindex.php:593
filterrequestindex.php:752
filterrequestindex.php:753
actioninitindex.php:1928
actionwidgets_initindex.php:1929

Scheduled Events 2

mdtf_cache_count_data_auto_clean
mdtf_cache_terms_data_auto_clean
Maintenance & Trust

MDTF – Meta Data and Taxonomies Filter Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 2, 2026
PHP min version7.2
Downloads94K

Community Trust

Rating90/100
Number of ratings28
Active installs1K
Alternatives

MDTF – Meta Data and Taxonomies Filter Alternatives

annasta Filters for WooCommerce

annasta Filters for WooCommerce

annasta-woocommerce-product-filters

A
100

All-in-one products search and filtering solution for your WooCommerce shop with rich features and customization options.

2K No CVEs
WOOF by Category

WOOF by Category

woof-by-category

A
92

WooCommerce Product Filter (WOOF) extension to display a set of filters depending on the current product category page.

2K No CVEs
Active Products Tables for WooCommerce. Use constructor to create tables 

Active Products Tables for WooCommerce. Use constructor to create tables 

profit-products-tables-for-woocommerce

A
87

WooCommerce Active Products Tables - is the WooCommerce Products Table plugin displaying shop products in table format

1K 12 CVEs
Live Search and Custom Fields LITE – Advanced Filter

Live Search and Custom Fields LITE – Advanced Filter

live-search-custom-fields-lite

A
85

Advanced WordPress Filter Plugin that helps you to create stunning filters on your website. Search and Filter WordPress posts, custom posts, WooCommer &hellip;

100 No CVEs
Shop Products Filter

Shop Products Filter

trusty-woo-products-filter

C
68

Filter all products of your woocommerce shop. Filter by categories,tags,attributes,taxonomies,price slider,on sale etc.

30 1 unpatched
Developer Profile

MDTF – Meta Data and Taxonomies Filter Developer Profile

RealMag777

12 plugins · 188K total installs

66
trust score
Avg Security Score
82/100
Avg Patch Time
209 days
View full developer profile
Detection Fingerprints

How We Detect MDTF – Meta Data and Taxonomies Filter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-meta-data-filter-and-taxonomy-filter/css/mdf_settings.css/wp-content/plugins/wp-meta-data-filter-and-taxonomy-filter/js/front.js/wp-content/plugins/wp-meta-data-filter-and-taxonomy-filter/js/mdf_settings.js
Script Paths
js/front.jsjs/mdf_settings.js
Version Parameters
wp-meta-data-filter-and-taxonomy-filter/css/mdf_settings.css?ver=wp-meta-data-filter-and-taxonomy-filter/js/front.js?ver=wp-meta-data-filter-and-taxonomy-filter/js/mdf_settings.js?ver=

HTML / DOM Fingerprints

Data Attributes
data-mdf-slugdata-mdf-iddata-mdf-taxonomy
JS Globals
mdf_settings_data
FAQ

Frequently Asked Questions about MDTF – Meta Data and Taxonomies Filter