Description
The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.
Published: 2026-06-06
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MDJM Event Management plugin for WordPress exposes an arbitrary file upload vulnerability in the mdjm_send_comm_email function because no file type, extension, or MIME type validation is performed. An attacker with administrator-level or higher privileges can upload any file through the corresponding upload interface. If the uploaded file is executable on the web server, the attacker can run arbitrary code with the privileges of the WordPress process, potentially compromising the entire website and underlying host.

Affected Systems

WordPress sites running MDJM Event Management version 1.7.8.3 or earlier are impacted. Versions newer than 1.7.8.3 include a patch that implements proper validation and removes the upload bypass.

Risk and Exploitability

The CVSS score of 7.2 places the issue in the high severity range. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalogue, indicating no currently observed exploitation in the wild. The flaw requires authenticated access at the administrator level or higher, making the attack vector internal or requiring compromised credentials. Once authenticated, an attacker can immediately upload a malicious file and trigger remote code execution, granting full control over the WordPress installation and potentially the underlying server.

Generated by OpenCVE AI on June 6, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MDJM Event Management plugin to a version newer than 1.7.8.3, which includes proper file validation in the upload handler.
  • Disable or remove the mdjm_send_comm_email upload functionality if it is not required for operations.
  • Implement server‑side controls or a security plugin to block the upload of executable file types (e.g., .php, .exe) until the official fix is applied.

Generated by OpenCVE AI on June 6, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.
Title MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:48:22.401Z

Reserved: 2026-04-30T18:20:36.475Z

Link: CVE-2026-7537

cve-icon Vulnrichment

Updated: 2026-06-06T11:48:17.748Z

cve-icon NVD

Status : Received

Published: 2026-06-06T04:17:32.107

Modified: 2026-06-06T04:17:32.107

Link: CVE-2026-7537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T05:00:14Z

Weaknesses