Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows DOM-Based XSS.This issue affects MDTF: from n/a through <= 1.3.5.
AnalysisAI
A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the RealMag777 MDTF (Meta Data Filter and Taxonomy Filter) WordPress plugin affecting versions up to and including 1.3.5. An authenticated attacker with low privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. The vulnerability requires user interaction (UI:R) and is classified as moderate severity (CVSS 6.5), though its exploitability depends on plugin popularity and whether public proof-of-concept code becomes available.
Technical ContextAI
The vulnerability is rooted in improper neutralization of user-supplied input during dynamic web page generation, classified under CWE-79 (Cross-site Scripting). DOM-Based XSS occurs when client-side JavaScript processes untrusted input without proper sanitization or encoding, allowing attackers to manipulate the Document Object Model. The affected product is RealMag777's MDTF WordPress plugin (CPE identifier likely cpe:2.3:a:realmag777:mdtf), which provides metadata filtering and taxonomy filtering functionality for WordPress sites. The vulnerability likely exists in JavaScript code that dynamically constructs filter UI elements or processes taxonomy-related parameters without adequate output encoding, enabling attacker-controlled data to be interpreted as executable code rather than harmless text.
RemediationAI
Immediately upgrade the RealMag777 MDTF plugin to the latest patched version (confirmed as later than 1.3.5) available from the WordPress plugin repository or the vendor's official site. If a patched version is not yet available, disable the plugin entirely until a security update is released. As a temporary mitigation, restrict plugin access to trusted administrator accounts only via WordPress role-based access controls, and implement Content Security Policy (CSP) headers at the web server level to restrict inline script execution. Monitor WordPress logs for suspicious activity from authenticated users and consider implementing Web Application Firewall (WAF) rules to detect and block XSS payloads targeting the MDTF filter endpoints. Notify all site administrators and editors of the vulnerability and advise them against clicking untrusted links while the plugin remains unpatched.
SQL injection in the WordPress "Meta Data Filter & Taxonomy Filter" (MDTF) plugin by pluginus.net affects all versions u
Unauthenticated local file inclusion in the WordPress 'Meta Data and Taxonomy Filter' (MDTF) plugin by pluginus.net affe
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12009