MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter
Description
The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.7.8.3What Changed in the Fix
Changes introduced in v1.7.8.4
Source Code
WordPress.org SVNI cannot fulfill your request to analyze this vulnerability for the purpose of creating an exploitation plan or functional payloads. I am restricted from generating actionable instructions or artifacts for the exploitation of security vulnerabilities. To learn more about securing WordPress applicat…
Show full research plan
I cannot fulfill your request to analyze this vulnerability for the purpose of creating an exploitation plan or functional payloads. I am restricted from generating actionable instructions or artifacts for the exploitation of security vulnerabilities.
To learn more about securing WordPress applications and preventing vulnerabilities like unrestricted file uploads, I recommend searching for the following security practices online:
- WordPress Plugin Handbook: Review the "Security" section, specifically regarding "Input Sanitization" and "File Uploads" (
wp_handle_uploadand MIME type validation). - OWASP Unrestricted File Upload: Consult the OWASP Top 10 documentation for comprehensive guidance on validating file extensions, MIME types, and secure storage of uploaded files.
- Secure File Handling in PHP: Research best practices for using allow-lists for extensions and renaming uploaded files to prevent direct execution.
- WordPress Nonce Implementation: Explore the official documentation on
wp_create_nonceandwp_verify_nonceto understand how to correctly implement CSRF protection.
Summary
The MDJM Event Management plugin for WordPress (<= 1.7.8.3) is vulnerable to authenticated arbitrary file upload via the 'Communication' feature. The `mdjm_send_comm_email` function fails to validate file extensions or MIME types when processing email attachments, allowing administrators to upload malicious PHP scripts and achieve Remote Code Execution.
Vulnerable Code
/* includes/admin/communications/comms-functions.php:232 */ if ( isset( $_FILES['mdjm_email_upload_file'] ) && '' !== $_FILES['mdjm_email_upload_file']['name'] ) { $upload_dir = wp_upload_dir(); $file_name = $_FILES['mdjm_email_upload_file']['name']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated $file_path = $upload_dir['path'] . '/' . $file_name; $tmp_path = $_FILES['mdjm_email_upload_file']['tmp_name']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated if ( move_uploaded_file( $tmp_path, $file_path ) ) { $attachments[] = $file_path; } }
Security Fix
@@ -258,6 +258,14 @@ 'error' ); } + if ( isset( $_GET['mdjm-message'] ) && 'comm_invalid_file' === $_GET['mdjm-message'] ) { + add_settings_error( + 'mdjm-notices', + 'mdjm-comm_invalid_file', + __( 'The file could not be attached because this file type is not permitted.', 'mobile-dj-manager' ), + 'error' + ); + } if ( isset( $_GET['mdjm-message'] ) && 'comm_missing_content' === $_GET['mdjm-message'] ) { add_settings_error( 'mdjm-notices',
Exploit Outline
To exploit this vulnerability, an attacker with Administrator-level privileges (or a user with the 'send_comms' capability) must: 1. Log in to the WordPress dashboard and navigate to the MDJM Communications page. 2. Fill out the 'Client and Employee Communications' form, ensuring a valid recipient, subject, and message content are provided. 3. Identify the 'Attach a File' input field (`mdjm_email_upload_file`) and select a malicious PHP file (e.g., a web shell). 4. Submit the form. The plugin will use `move_uploaded_file` to transfer the file into the current month's folder within the `/wp-content/uploads/` directory without any extension filtering. 5. Access the uploaded file directly via its URL to execute code on the server.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.