Description
The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters.
Published: 2026-03-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of Custom Event Fields
Action: Assess and Patch
AI Analysis

Impact

The MDJM Event Management plugin for WordPress lacks a capability check in its custom_fields_controller function, enabling unauthenticated users to delete any custom event field using the delete_custom_field and id parameters. This flaw permits arbitrary data modification, potentially destroying or corrupting event information stored by the system. The weakness is classified as an Authorization Failure (CWE-862).

Affected Systems

All WordPress installations running MDJM Event Management plugin versions up to and including 1.7.8.1 are affected. The vulnerability is present in every release up to that point and impacts the plugin’s administrative interface that manages custom event fields.

Risk and Exploitability

The CVSS base score of 5.3 indicates medium severity. EPSS reflects a very low probability of exploitation (<1%), and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is remote and unauthenticated, via HTTP requests to the plugin’s event‑field controller endpoint, requiring no authentication credentials or elevated privileges.

Generated by OpenCVE AI on April 15, 2026 at 17:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website or plugin repository for an official update that restores the missing capability check.
  • If an update is not immediately available, modify the plugin or implement a custom filter to enforce that only users with adequate capabilities (e.g., administrator) can trigger the delete_custom_field action.
  • As a temporary measure, consider removing or disabling the delete link in the admin event‑field management interface for users who lack proper role assignments to reduce the attack surface.

Generated by OpenCVE AI on April 15, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mdjm
Mdjm mdjm Event Management
Wordpress
Wordpress wordpress
Vendors & Products Mdjm
Mdjm mdjm Event Management
Wordpress
Wordpress wordpress

Sat, 07 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters.
Title MDJM Event Management <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mdjm Mdjm Event Management
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:25.055Z

Reserved: 2026-01-29T19:07:23.727Z

Link: CVE-2026-1650

cve-icon Vulnrichment

Updated: 2026-03-09T19:12:41.743Z

cve-icon NVD

Status : Deferred

Published: 2026-03-07T02:16:11.720

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-1650

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses