Skip to main content

Mdtf

3 CVEs product

Monthly

CVE-2026-54845 HIGH This Week

Unauthenticated local file inclusion in the WordPress 'Meta Data and Taxonomy Filter' (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.8, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Per its CVSS:3.1 vector (AV:N/PR:N), exploitation is network-reachable and unauthenticated, though the high attack complexity (AC:H) implies non-trivial preconditions. This is classified as information disclosure but rated 8.1 with full C/I/A impact; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.

LFI Information Disclosure PHP Mdtf
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-54843 CRITICAL Act Now

SQL injection in the WordPress "Meta Data Filter & Taxonomy Filter" (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.7, allowing remote attackers to inject arbitrary SQL into backend queries without authentication. Per the provided CVSS vector (PR:N), exploitation requires no login, and the high CVSS base score of 9.3 reflects network reachability plus a scope change. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS data supplied, so prioritization rests on the CVSS signal alone.

SQLi Mdtf
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-32455 MEDIUM This Month

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the RealMag777 MDTF (Meta Data Filter and Taxonomy Filter) WordPress plugin affecting versions up to and including 1.3.5. An authenticated attacker with low privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. The vulnerability requires user interaction (UI:R) and is classified as moderate severity (CVSS 6.5), though its exploitability depends on plugin popularity and whether public proof-of-concept code becomes available.

XSS Mdtf
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the WordPress 'Meta Data and Taxonomy Filter' (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.8, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Per its CVSS:3.1 vector (AV:N/PR:N), exploitation is network-reachable and unauthenticated, though the high attack complexity (AC:H) implies non-trivial preconditions. This is classified as information disclosure but rated 8.1 with full C/I/A impact; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the WordPress "Meta Data Filter & Taxonomy Filter" (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.7, allowing remote attackers to inject arbitrary SQL into backend queries without authentication. Per the provided CVSS vector (PR:N), exploitation requires no login, and the high CVSS base score of 9.3 reflects network reachability plus a scope change. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS data supplied, so prioritization rests on the CVSS signal alone.

SQLi Mdtf
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the RealMag777 MDTF (Meta Data Filter and Taxonomy Filter) WordPress plugin affecting versions up to and including 1.3.5. An authenticated attacker with low privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. The vulnerability requires user interaction (UI:R) and is classified as moderate severity (CVSS 6.5), though its exploitability depends on plugin popularity and whether public proof-of-concept code becomes available.

XSS Mdtf
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy