Description
Unauthenticated SQL Injection in MDTF <= 1.3.7 versions.
Published: 2026-06-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated SQL Injection was discovered in the WordPress MDTF Plugin for versions 1.3.7 and earlier. The flaw allows an attacker to inject arbitrary SQL statements into database queries because input is not properly sanitized or parameterized, potentially granting the attacker read, modify or delete access to the WordPress database. This can result in data disclosure, integrity loss, or full compromise of the site’s data.

Affected Systems

The affected product is the WordPress MDTF Plugin released by PluginUs.Net. All releases 1.3.7 and older are vulnerable; upgrading to version 1.3.8 or newer is necessary to resolve the issue. The plugin is commonly used in WordPress installations for metadata filtering.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of a KEV entry does not reduce the risk. The flaw is unauthenticated, meaning any external user can potentially exploit it by submitting crafted data to the plugin’s interface – although the official description does not specify the exact input paths. Because the plugin is widely deployed, the likelihood of exploitation is considered high.

Generated by OpenCVE AI on June 25, 2026 at 16:03 UTC.

Remediation

Vendor Solution

Update the WordPress MDTF Plugin to the latest available version (at least 1.3.8).

OpenCVE Recommended Actions

  • Update the WordPress MDTF Plugin to version 1.3.8 or newer.
  • If the plugin is not required, uninstall or disable it.
  • Examine the WordPress database for unexpected queries or data changes and restore from a recent backup if necessary.

Generated by OpenCVE AI on June 25, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in MDTF <= 1.3.7 versions.
Title WordPress MDTF plugin <= 1.3.7 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:02:43.995Z

Reserved: 2026-06-16T09:22:02.525Z

Link: CVE-2026-54843

cve-icon Vulnrichment

Updated: 2026-06-25T14:02:40.676Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:15:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')