CVE-2024-8624 Overview
CVE-2024-8624 is a SQL Injection vulnerability in the MDTF – Meta Data and Taxonomies Filter plugin for WordPress. The flaw affects all versions up to and including 1.3.3.3. The vulnerability stems from insufficient escaping of the meta_key attribute in the mdf_select_title shortcode and inadequate preparation of the underlying SQL query [CWE-89]. Authenticated attackers with Contributor-level access or higher can append arbitrary SQL to existing queries and extract sensitive database contents.
Critical Impact
Authenticated Contributor-level users can execute arbitrary SQL queries against the WordPress database, exposing credentials, password hashes, and other confidential data.
Affected Products
- Pluginus MDTF – Meta Data and Taxonomies Filter plugin for WordPress
- All versions up to and including 1.3.3.3
- WordPress installations using the mdf_select_title shortcode
Discovery Timeline
- 2024-09-24 - CVE-2024-8624 published to NVD
- 2024-09-26 - Last updated in NVD database
Technical Details for CVE-2024-8624
Vulnerability Analysis
The MDTF plugin exposes a shortcode named mdf_select_title that accepts a meta_key attribute. The plugin passes this attribute directly into a SQL query without proper sanitization or use of prepared statements. Any user who can render shortcodes in posts, including Contributors, can therefore inject SQL fragments into the query context.
The injection occurs through the standard WordPress shortcode rendering pipeline. When the shortcode is processed, the attacker-controlled meta_key value is concatenated into a SELECT statement executed against the wp_postmeta and related tables. The query result is returned through the rendered page, enabling UNION-based extraction of arbitrary table contents.
The scope-changed CVSS vector reflects that a low-privileged authenticated user can compromise confidentiality, integrity, and availability across the WordPress installation. Successful exploitation typically yields administrator password hashes, secret keys, and session data stored in wp_users and wp_options.
Root Cause
The root cause is a failure to apply wpdb::prepare() or equivalent parameterization to a user-controlled shortcode attribute. The plugin also omits whitelist validation of the meta_key value against expected meta field names, treating an attacker-supplied string as a trusted SQL identifier.
Attack Vector
An attacker with Contributor-level access submits a post containing the mdf_select_title shortcode with a malicious meta_key attribute. The attacker crafts the attribute to break out of the original query context and append a UNION SELECT or similar construct. When the post is previewed or published, the injected SQL executes with database privileges of the WordPress user account.
For technical specifics, refer to the Wordfence Vulnerability Intelligence advisory and the WordPress plugin changeset.
Detection Methods for CVE-2024-8624
Indicators of Compromise
- Posts or post revisions containing the mdf_select_title shortcode with SQL keywords such as UNION, SELECT, --, or INFORMATION_SCHEMA inside the meta_key attribute.
- Unexpected database errors logged by WordPress or the MySQL/MariaDB server originating from MDTF shortcode rendering.
- New or modified WordPress administrator accounts following Contributor account activity.
Detection Strategies
- Audit the wp_posts table for shortcode patterns matching mdf_select_title with non-alphanumeric characters in meta_key.
- Inspect web server access logs for POST requests to /wp-admin/post.php or /wp-admin/admin-ajax.php from Contributor accounts that include encoded SQL syntax.
- Enable MySQL general query logging temporarily to surface anomalous SELECT statements referencing wp_users.user_pass.
Monitoring Recommendations
- Alert on Contributor or Author accounts viewing post previews that trigger MDTF shortcode rendering with abnormal payload lengths.
- Monitor for privilege escalation events where Contributor accounts gain elevated capabilities shortly after publishing MDTF-containing content.
- Track plugin file integrity for wp-meta-data-filter-and-taxonomy-filter to confirm patched versions are in place.
How to Mitigate CVE-2024-8624
Immediate Actions Required
- Update the MDTF – Meta Data and Taxonomies Filter plugin to a version newer than 1.3.3.3 immediately.
- Review all Contributor, Author, and Editor accounts and disable any that are inactive or unrecognized.
- Rotate WordPress administrator passwords, wp-config.php secret keys, and any API credentials stored in the database.
Patch Information
The vendor addressed the vulnerability in the WordPress.org plugin repository. Review the official changeset for the corrective code that introduces proper escaping and query preparation for the meta_key attribute.
Workarounds
- Deactivate and remove the MDTF plugin until patching is possible.
- Restrict shortcode usage by lower-privileged roles using a capability management plugin if removal is not feasible.
- Deploy a web application firewall rule to block requests containing SQL metacharacters in the meta_key parameter of MDTF shortcodes.
# Update the plugin via WP-CLI
wp plugin update wp-meta-data-filter-and-taxonomy-filter
# Verify the installed version
wp plugin get wp-meta-data-filter-and-taxonomy-filter --field=version
# If a patched version is not yet available, deactivate the plugin
wp plugin deactivate wp-meta-data-filter-and-taxonomy-filter
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
