[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fn1_HWmKWkv54czA8qNVkevfjjTDHVMMPxgdZS_OqFDE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-7537","mdjm-event-management-authenticated-administrator-arbitrary-file-upload-via-mdjmemailuploadfile-parameter","MDJM Event Management \u003C= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter","The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.","mobile-dj-manager",null,"\u003C=1.7.8.3","1.7.8.4","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-06-05 14:20:11","2026-06-06 02:28:35",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F42f37a41-deff-4b17-94d8-4e0fd1ce22c2?source=api-prod",1,[22,23,24,25,26,27,28,29],"includes\u002Fadmin\u002Fadmin-notices.php","includes\u002Fadmin\u002Fcommunications\u002Fcomms-functions.php","includes\u002Fadmin\u002Fevents\u002Fevents.php","includes\u002Fadmin\u002Fpages\u002Fevent-fields.php","includes\u002Fadmin\u002Froles\u002Fclass-mdjm-permissions.php","includes\u002Fadmin\u002Ftasks\u002Fclass-mdjm-tasks-table.php","includes\u002Fadmin\u002Ftasks\u002Ftask-actions.php","includes\u002Fadmin\u002Ftasks\u002Ftasks-page.php","researched",false,3,"I cannot fulfill your request to analyze this vulnerability for the purpose of creating an exploitation plan or functional payloads. I am restricted from generating actionable instructions or artifacts for the exploitation of security vulnerabilities.\n\nTo learn more about securing WordPress applications and preventing vulnerabilities like unrestricted file uploads, I recommend searching for the following security practices online:\n\n*   **WordPress Plugin Handbook:** Review the \"Security\" section, specifically regarding \"Input Sanitization\" and \"File Uploads\" (`wp_handle_upload` and MIME type validation).\n*   **OWASP Unrestricted File Upload:** Consult the OWASP Top 10 documentation for comprehensive guidance on validating file extensions, MIME types, and secure storage of uploaded files.\n*   **Secure File Handling in PHP:** Research best practices for using allow-lists for extensions and renaming uploaded files to prevent direct execution.\n*   **WordPress Nonce Implementation:** Explore the official documentation on `wp_create_nonce` and `wp_verify_nonce` to understand how to correctly implement CSRF protection.","The MDJM Event Management plugin for WordPress (\u003C= 1.7.8.3) is vulnerable to authenticated arbitrary file upload via the 'Communication' feature. The `mdjm_send_comm_email` function fails to validate file extensions or MIME types when processing email attachments, allowing administrators to upload malicious PHP scripts and achieve Remote Code Execution.","\u002F* includes\u002Fadmin\u002Fcommunications\u002Fcomms-functions.php:232 *\u002F\nif ( isset( $_FILES['mdjm_email_upload_file'] ) && '' !== $_FILES['mdjm_email_upload_file']['name'] ) {\n    $upload_dir = wp_upload_dir();\n\n    $file_name = $_FILES['mdjm_email_upload_file']['name']; \u002F\u002F phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated\n    $file_path = $upload_dir['path'] . '\u002F' . $file_name;\n    $tmp_path  = $_FILES['mdjm_email_upload_file']['tmp_name']; \u002F\u002F phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated\n\n    if ( move_uploaded_file( $tmp_path, $file_path ) ) {\n        $attachments[] = $file_path;\n    }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmobile-dj-manager\u002F1.7.8.3\u002Fincludes\u002Fadmin\u002Fadmin-notices.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmobile-dj-manager\u002F1.7.8.4\u002Fincludes\u002Fadmin\u002Fadmin-notices.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmobile-dj-manager\u002F1.7.8.3\u002Fincludes\u002Fadmin\u002Fadmin-notices.php\t2026-01-12 09:22:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmobile-dj-manager\u002F1.7.8.4\u002Fincludes\u002Fadmin\u002Fadmin-notices.php\t2026-05-10 21:20:28.000000000 +0000\n@@ -258,6 +258,14 @@\n \t\t\t'error'\n \t\t);\n \t}\n+\tif ( isset( $_GET['mdjm-message'] ) && 'comm_invalid_file' === $_GET['mdjm-message'] ) {\n+\t\tadd_settings_error(\n+\t\t\t'mdjm-notices',\n+\t\t\t'mdjm-comm_invalid_file',\n+\t\t\t__( 'The file could not be attached because this file type is not permitted.', 'mobile-dj-manager' ),\n+\t\t\t'error'\n+\t\t);\n+\t}\n \tif ( isset( $_GET['mdjm-message'] ) && 'comm_missing_content' === $_GET['mdjm-message'] ) {\n \t\tadd_settings_error(\n \t\t\t'mdjm-notices',","To exploit this vulnerability, an attacker with Administrator-level privileges (or a user with the 'send_comms' capability) must:\n1. Log in to the WordPress dashboard and navigate to the MDJM Communications page.\n2. Fill out the 'Client and Employee Communications' form, ensuring a valid recipient, subject, and message content are provided.\n3. Identify the 'Attach a File' input field (`mdjm_email_upload_file`) and select a malicious PHP file (e.g., a web shell).\n4. Submit the form. The plugin will use `move_uploaded_file` to transfer the file into the current month's folder within the `\u002Fwp-content\u002Fuploads\u002F` directory without any extension filtering.\n5. Access the uploaded file directly via its URL to execute code on the server.","gemini-3-flash-preview","2026-06-26 03:15:16","2026-06-26 03:16:00",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.7.8.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmobile-dj-manager\u002Ftags\u002F1.7.8.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmobile-dj-manager.1.7.8.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmobile-dj-manager\u002Ftags\u002F1.7.8.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmobile-dj-manager.1.7.8.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmobile-dj-manager\u002Ftags"]