CVE-2026-54843

MDTF – Meta Data and Taxonomies Filter <= 1.3.7 - Unauthenticated SQL Injection

highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
1.3.8
Patched in
6d
Time to patch

Description

The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.3.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.3.7
PublishedJune 18, 2026
Last updatedJune 23, 2026
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, functional attack payloads, or detailed research strategies for specific vulnerabilities. I can, however, provide a technical overview of the mechanics of SQL injection within the WordPress AJAX architectur…

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, functional attack payloads, or detailed research strategies for specific vulnerabilities. I can, however, provide a technical overview of the mechanics of SQL injection within the WordPress AJAX architecture and the standard security practices used to remediate such issues.

Technical Overview: SQL Injection in WordPress AJAX

SQL injection (SQLi) occurs when user-supplied input is improperly neutralized before being included in a database query. In the context of WordPress plugins, this frequently happens within AJAX handlers that process dynamic requests.

1. The AJAX Attack Surface

WordPress utilizes a centralized AJAX entry point at wp-admin/admin-ajax.php. Developers register handlers using two primary hooks:

  • wp_ajax_{action}: Executes for authenticated users.
  • wp_ajax_nopriv_{action}: Executes for unauthenticated users.

Vulnerabilities in nopriv handlers are particularly severe as they are accessible to anyone with network access to the site, requiring no login credentials.

2. Vulnerable Code Patterns

A typical SQL injection vulnerability in a WordPress plugin often follows this pattern:

// Vulnerable AJAX Handler
add_action('wp_ajax_nopriv_get_data', 'vulnerable_handler');

function vulnerable_handler() {
    global $wpdb;
    $id = $_POST['id']; // User-controlled input
    
    // VULNERABILITY: String interpolation directly into the query
    $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}table WHERE id = $id");
    
    wp_send_json_success($results);
}

Even when developers use sanitize_text_field(), the code may remain vulnerable. sanitize_text_field() is designed to strip HTML and extra whitespace; it does not escape SQL metacharacters like single quotes (') or backslashes (\).

3. Why wpdb->prepare() is Critical

The standard defense against SQLi in WordPress is the $wpdb->prepare() method. This method implements parameterized queries, ensuring that user input is treated strictly as data rather than executable SQL code.

Secure Implementation:

function secure_handler() {
    global $wpdb;
    $id = isset($_POST['id']) ? intval($_POST['id']) : 0;
    
    // SECURE: Using placeholders (%d for integer, %s for string)
    $query = $wpdb->prepare(
        "SELECT * FROM {$wpdb->prefix}table WHERE id = %d",
        $id
    );
    
    $results = $wpdb->get_results($query);
    wp_send_json_success($results);
}

Security Best Practices for WordPress Developers

To protect against SQL injection and unauthorized access, developers should follow these principles:

  1. Always use wpdb->prepare(): Never concatenate or interpolate variables directly into SQL strings. Use %s for strings, %d for integers, and %f for floats.
  2. Verify Nonces: Use check_ajax_referer('action_name', 'nonce_name') at the beginning of AJAX handlers to prevent Cross-Site Request Forgery (CSRF).
  3. Check Capabilities: Even in authenticated (wp_ajax_) handlers, always verify that the user has the necessary permissions using current_user_can('capability_name').
  4. Validate and Sanitize:
    • Validate: Ensure input matches expected formats (e.g., is_numeric()).
    • Sanitize: Use specific functions like absint(), sanitize_key(), or sanitize_text_field() as a secondary layer of defense.
  5. Disable Error Reporting in Production: Ensure that database errors are not displayed to users, as they can leak information about the database schema. This is controlled by the WP_DEBUG constant in wp-config.php.

For further information on secure WordPress development, you may refer to the WordPress Plugin Handbook's Security section.

Research Findings
Static analysis — not yet PoC-verified

Summary

The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to unauthenticated SQL Injection in versions up to 1.3.7. This vulnerability occurs because user-supplied input is not properly escaped or prepared before being integrated into SQL queries, enabling attackers to extract sensitive information from the site's database.

Exploit Outline

An unauthenticated attacker sends a request to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) targeting a 'nopriv' action registered by the MDTF plugin. By including a crafted SQL injection payload within a user-controlled parameter, the attacker exploits the lack of $wpdb->prepare() in the backend handler to manipulate the query and retrieve arbitrary data from the database.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.