[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fx7pIjD3CeJRtEgOCbQFQOTl_ggBBAyl4wVnylpSMtro":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-54843","mdtf-meta-data-and-taxonomies-filter-unauthenticated-sql-injection","MDTF – Meta Data and Taxonomies Filter \u003C= 1.3.7 - Unauthenticated SQL Injection","The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.3.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","wp-meta-data-filter-and-taxonomy-filter",null,"\u003C=1.3.7","1.3.8","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-18 00:00:00","2026-06-23 15:51:16",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F750ff77f-3591-43e9-8763-56e3b6006adc?source=api-prod",6,[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, functional attack payloads, or detailed research strategies for specific vulnerabilities. I can, however, provide a technical overview of the mechanics of SQL injection within the WordPress AJAX architecture and the standard security practices used to remediate such issues.\n\n### Technical Overview: SQL Injection in WordPress AJAX\n\nSQL injection (SQLi) occurs when user-supplied input is improperly neutralized before being included in a database query. In the context of WordPress plugins, this frequently happens within AJAX handlers that process dynamic requests.\n\n#### 1. The AJAX Attack Surface\nWordPress utilizes a centralized AJAX entry point at `wp-admin\u002Fadmin-ajax.php`. Developers register handlers using two primary hooks:\n*   `wp_ajax_{action}`: Executes for authenticated users.\n*   `wp_ajax_nopriv_{action}`: Executes for unauthenticated users.\n\nVulnerabilities in `nopriv` handlers are particularly severe as they are accessible to anyone with network access to the site, requiring no login credentials.\n\n#### 2. Vulnerable Code Patterns\nA typical SQL injection vulnerability in a WordPress plugin often follows this pattern:\n\n```php\n\u002F\u002F Vulnerable AJAX Handler\nadd_action('wp_ajax_nopriv_get_data', 'vulnerable_handler');\n\nfunction vulnerable_handler() {\n    global $wpdb;\n    $id = $_POST['id']; \u002F\u002F User-controlled input\n    \n    \u002F\u002F VULNERABILITY: String interpolation directly into the query\n    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}table WHERE id = $id\");\n    \n    wp_send_json_success($results);\n}\n```\n\nEven when developers use `sanitize_text_field()`, the code may remain vulnerable. `sanitize_text_field()` is designed to strip HTML and extra whitespace; it does not escape SQL metacharacters like single quotes (`'`) or backslashes (`\\`).\n\n#### 3. Why `wpdb->prepare()` is Critical\nThe standard defense against SQLi in WordPress is the `$wpdb->prepare()` method. This method implements parameterized queries, ensuring that user input is treated strictly as data rather than executable SQL code.\n\n**Secure Implementation:**\n```php\nfunction secure_handler() {\n    global $wpdb;\n    $id = isset($_POST['id']) ? intval($_POST['id']) : 0;\n    \n    \u002F\u002F SECURE: Using placeholders (%d for integer, %s for string)\n    $query = $wpdb->prepare(\n        \"SELECT * FROM {$wpdb->prefix}table WHERE id = %d\",\n        $id\n    );\n    \n    $results = $wpdb->get_results($query);\n    wp_send_json_success($results);\n}\n```\n\n### Security Best Practices for WordPress Developers\n\nTo protect against SQL injection and unauthorized access, developers should follow these principles:\n\n1.  **Always use `wpdb->prepare()`**: Never concatenate or interpolate variables directly into SQL strings. Use `%s` for strings, `%d` for integers, and `%f` for floats.\n2.  **Verify Nonces**: Use `check_ajax_referer('action_name', 'nonce_name')` at the beginning of AJAX handlers to prevent Cross-Site Request Forgery (CSRF).\n3.  **Check Capabilities**: Even in authenticated (`wp_ajax_`) handlers, always verify that the user has the necessary permissions using `current_user_can('capability_name')`.\n4.  **Validate and Sanitize**: \n    *   **Validate**: Ensure input matches expected formats (e.g., `is_numeric()`).\n    *   **Sanitize**: Use specific functions like `absint()`, `sanitize_key()`, or `sanitize_text_field()` as a secondary layer of defense.\n5.  **Disable Error Reporting in Production**: Ensure that database errors are not displayed to users, as they can leak information about the database schema. This is controlled by the `WP_DEBUG` constant in `wp-config.php`.\n\nFor further information on secure WordPress development, you may refer to the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to unauthenticated SQL Injection in versions up to 1.3.7. This vulnerability occurs because user-supplied input is not properly escaped or prepared before being integrated into SQL queries, enabling attackers to extract sensitive information from the site's database.","An unauthenticated attacker sends a request to the WordPress AJAX endpoint (wp-admin\u002Fadmin-ajax.php) targeting a 'nopriv' action registered by the MDTF plugin. By including a crafted SQL injection payload within a user-controlled parameter, the attacker exploits the lack of $wpdb->prepare() in the backend handler to manipulate the query and retrieve arbitrary data from the database.","gemini-3-flash-preview","2026-06-25 21:03:32","2026-06-25 21:04:22",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-meta-data-filter-and-taxonomy-filter\u002Ftags"]