CVE-2026-7537

MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter

highUnrestricted Upload of File with Dangerous Type
7.2
CVSS Score
7.2
CVSS Score
high
Severity
1.7.8.4
Patched in
1d
Time to patch

Description

The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.7.8.3
PublishedJune 5, 2026
Last updatedJune 6, 2026
Affected pluginmobile-dj-manager

What Changed in the Fix

Changes introduced in v1.7.8.4

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to analyze this vulnerability for the purpose of creating an exploitation plan or functional payloads. I am restricted from generating actionable instructions or artifacts for the exploitation of security vulnerabilities. To learn more about securing WordPress applicat…

Show full research plan

I cannot fulfill your request to analyze this vulnerability for the purpose of creating an exploitation plan or functional payloads. I am restricted from generating actionable instructions or artifacts for the exploitation of security vulnerabilities.

To learn more about securing WordPress applications and preventing vulnerabilities like unrestricted file uploads, I recommend searching for the following security practices online:

  • WordPress Plugin Handbook: Review the "Security" section, specifically regarding "Input Sanitization" and "File Uploads" (wp_handle_upload and MIME type validation).
  • OWASP Unrestricted File Upload: Consult the OWASP Top 10 documentation for comprehensive guidance on validating file extensions, MIME types, and secure storage of uploaded files.
  • Secure File Handling in PHP: Research best practices for using allow-lists for extensions and renaming uploaded files to prevent direct execution.
  • WordPress Nonce Implementation: Explore the official documentation on wp_create_nonce and wp_verify_nonce to understand how to correctly implement CSRF protection.
Research Findings
Static analysis — not yet PoC-verified

Summary

The MDJM Event Management plugin for WordPress (<= 1.7.8.3) is vulnerable to authenticated arbitrary file upload via the 'Communication' feature. The `mdjm_send_comm_email` function fails to validate file extensions or MIME types when processing email attachments, allowing administrators to upload malicious PHP scripts and achieve Remote Code Execution.

Vulnerable Code

/* includes/admin/communications/comms-functions.php:232 */
if ( isset( $_FILES['mdjm_email_upload_file'] ) && '' !== $_FILES['mdjm_email_upload_file']['name'] ) {
    $upload_dir = wp_upload_dir();

    $file_name = $_FILES['mdjm_email_upload_file']['name']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated
    $file_path = $upload_dir['path'] . '/' . $file_name;
    $tmp_path  = $_FILES['mdjm_email_upload_file']['tmp_name']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated

    if ( move_uploaded_file( $tmp_path, $file_path ) ) {
        $attachments[] = $file_path;
    }
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/mobile-dj-manager/1.7.8.3/includes/admin/admin-notices.php /home/deploy/wp-safety.org/data/plugin-versions/mobile-dj-manager/1.7.8.4/includes/admin/admin-notices.php
--- /home/deploy/wp-safety.org/data/plugin-versions/mobile-dj-manager/1.7.8.3/includes/admin/admin-notices.php	2026-01-12 09:22:28.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/mobile-dj-manager/1.7.8.4/includes/admin/admin-notices.php	2026-05-10 21:20:28.000000000 +0000
@@ -258,6 +258,14 @@
 			'error'
 		);
 	}
+	if ( isset( $_GET['mdjm-message'] ) && 'comm_invalid_file' === $_GET['mdjm-message'] ) {
+		add_settings_error(
+			'mdjm-notices',
+			'mdjm-comm_invalid_file',
+			__( 'The file could not be attached because this file type is not permitted.', 'mobile-dj-manager' ),
+			'error'
+		);
+	}
 	if ( isset( $_GET['mdjm-message'] ) && 'comm_missing_content' === $_GET['mdjm-message'] ) {
 		add_settings_error(
 			'mdjm-notices',

Exploit Outline

To exploit this vulnerability, an attacker with Administrator-level privileges (or a user with the 'send_comms' capability) must: 1. Log in to the WordPress dashboard and navigate to the MDJM Communications page. 2. Fill out the 'Client and Employee Communications' form, ensuring a valid recipient, subject, and message content are provided. 3. Identify the 'Attach a File' input field (`mdjm_email_upload_file`) and select a malicious PHP file (e.g., a web shell). 4. Submit the form. The plugin will use `move_uploaded_file` to transfer the file into the current month's folder within the `/wp-content/uploads/` directory without any extension filtering. 5. Access the uploaded file directly via its URL to execute code on the server.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.