Description
Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions.
Published: 2026-06-25
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Local File Inclusion in the MDTF WordPress plugin allows an attacker to specify arbitrary file paths that the plugin reads and returns to the requester. The flaw corresponds to CWE‑98. Through this vulnerability, an attacker can read sensitive files on the server, resulting in confidentiality loss and potentially delivering code if writable files are included, which could lead to further compromise.

Affected Systems

WordPress sites that have the MDTF plugin from PluginUs.Net installed on version 1.3.8 or earlier are affected. Sites running the plugin on any higher version are not considered vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity risk. The EPSS score is not available, which limits insight into current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated and only requires a crafted request to the plugin’s endpoint, any visitor can potentially trigger it, making the risk significant for exposed sites.

Generated by OpenCVE AI on June 25, 2026 at 16:02 UTC.

Remediation

Vendor Solution

Update the WordPress MDTF Plugin to the latest available version (at least 1.3.9).

OpenCVE Recommended Actions

  • Update the MDTF plugin to version 1.3.9 or newer as the vendor’s solution
  • Configure the web server or PHP environment to deny arbitrary file reads, for example by setting allow‑includes to Off and protecting the plugin directory with appropriate file permissions
  • If upgrading immediately is not possible, temporarily disable the plugin or restrict access to its internal files by applying web‑application firewall rules or access control settings

Generated by OpenCVE AI on June 25, 2026 at 16:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions.
Title WordPress MDTF plugin <= 1.3.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T13:12:36.187Z

Reserved: 2026-06-16T09:22:02.525Z

Link: CVE-2026-54845

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:15:15Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')