CVE-2026-54843: WordPress MDTF plugin <= 1.3.7 - SQL Injection vulnerability
Unauthenticated SQL Injection in MDTF <= 1.3.7 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an unauthenticated SQL injection vulnerability in the MDTF WordPress plugin (versions 1.3.7 and below), developed by PluginUs.Net. The flaw is reachable over the network without any credentials, and no user interaction is required to trigger it. Successful exploitation gives an attacker read access to the underlying database and causes minor service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-54843 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle the MDTF plugin.
AvailableHarborGuard scores this CVE at 9.3 CRITICAL (CVSS v3.1) and is capable of weighting that score against each environment's compliance policy to determine escalation priority; findings are routable to the appropriate team inbox within the customer organization based on configured alert rules.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment PluginUs.Net ships a remediated release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; no prior foothold on the host is needed.
- AuthenticationNot required
No account or session token is needed; the vulnerable endpoint accepts unauthenticated requests.
- Victim interactionNot required
The attacker can trigger the SQL injection directly without requiring any action from a logged-in user.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race condition, specific memory layout, or environmental dependency is required.
Blast Radius
- Reads arbitrary rows from the WordPress database, including user credentials (hashed passwords), email addresses, stored session tokens, and plugin configuration data.
- Because the scope is changed (S:C in the CVSS vector), data accessible to the database user beyond the WordPress schema may also be read if the DB account has broader grants.
- Causes limited availability impact; the database service may experience degraded performance or partial disruption under sustained injection queries.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively monitored on every ingest cycle because no upstream patch exists yet. In the meantime, customers can apply compensating controls through HarborGuard-integrated network policies: isolating the WordPress container so the MDTF plugin endpoint is not reachable from untrusted network segments, and enabling egress filtering to limit outbound data exfiltration if injection succeeds. If the plugin functionality is non-essential, feature-flag gating or removal of the plugin from the image build can be enforced as a build-time policy check. The moment PluginUs.Net publishes a fix, HarborGuard will ingest it and make a patched-image rebuild available; for customers who opt into auto-remediation, that triggers an automatic rebuild, regression-test run, and a PR opened against affected workloads.
- PluginUs.Net / MDTF≤ 1.3.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L