CVE-2026-7537: MDJM Event Management WordPress Plugin Arbitrary File Upload & RCE
The MDJM Event Management plugin for WordPress contains a file upload vulnerability that allows administrators to upload and execute malicious files on a website. Because there are no checks on file types, extensions, or formats, an attacker with admin access could upload executable files and run arbitrary code on the server. This affects all versions through 1.7.8.3.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-434
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.
10 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7537 is an arbitrary file upload vulnerability in the MDJM Event Management WordPress plugin stemming from insufficient input validation in the mdjm_send_comm_email function. The flaw allows authenticated users with administrator privileges to bypass file upload restrictions by uploading files without extension, MIME type, or content validation. This directly maps to CWE-434 (Unrestricted Upload of File with Dangerous Type) and creates a pathway to remote code execution when executable files are uploaded to web-accessible directories.
Business impact
Organizations running WordPress with this plugin face direct risk of website compromise and server takeover. An administrator account—whether compromised, disgruntled, or leveraged through supply chain attacks—can upload web shells or other malicious code. This may lead to data theft, malware distribution from the site, service disruption, and reputational damage. Event management businesses relying on this plugin should treat this as a critical infrastructure risk.
Affected systems
MDJM Event Management plugin for WordPress, all versions up to and including 1.7.8.3. The vulnerability requires administrator or higher privileges to trigger, limiting the attack surface to internal threats or compromised admin accounts. Organizations should identify all WordPress installations using this plugin and verify their current version.
Exploitability
While the vulnerability requires administrator-level access—a significant gating factor—the attack itself is trivial once that access is obtained. No special tools, user interaction, or complex techniques are needed; an attacker can upload and access a malicious file through the affected upload function. The CVSS score of 7.2 (HIGH) reflects the severity of impact despite the elevated privilege requirement.
Remediation
Update MDJM Event Management to a patched version beyond 1.7.8.3. Verify the availability of fixes in the official plugin repository or vendor advisory. If immediate patching is not possible, restrict administrator role assignments to trusted individuals, enforce strong password policies, enable multi-factor authentication on admin accounts, and monitor file upload activity and unexpected files in plugin directories.
Patch guidance
Check the MDJM Event Management plugin's official WordPress repository or the vendor's security advisory for a version release that addresses CVE-2026-7537. Apply the patch during a maintenance window; back up your WordPress database and site files beforehand. After updating, verify the plugin version in WordPress admin and test event communication features to ensure functionality is preserved.
Detection guidance
Monitor WordPress admin user accounts for unusual login activity, especially from unfamiliar IPs or at odd hours. Check the plugin's upload directories for unexpected or suspicious files, particularly executable types (.php, .phtml, .exe, .sh). Review file modification timestamps in the plugin directory. Enable logging on file uploads and use Web Application Firewall (WAF) rules to block uploads of executable extensions to the affected plugin path.
Why prioritize this
Although this vulnerability requires administrative credentials, the consequence of exploitation is complete server compromise through remote code execution. Organizations using MDJM Event Management should treat this as a high-priority update because the attack surface—compromised or malicious admins—is plausible in multi-user environments. Early patching prevents insider threats and limits blast radius if admin credentials are exposed.
Risk score, explained
The CVSS 3.1 score of 7.2 (HIGH) reflects a vulnerability with high impact on confidentiality, integrity, and availability, but elevated privileges required for exploitation. The attack vector is network-based (no physical access needed), and there is no user interaction required beyond the administrator performing the upload. The privileged access requirement prevents a critical rating but does not reduce the severity of what happens once the flaw is triggered.
Frequently asked questions
Do I need to be an administrator to exploit this?
Yes. The vulnerability explicitly requires administrator-level access or above. Users with lower roles cannot trigger it. This means the primary risk is from compromised admin accounts, malicious insiders, or weak credential management rather than attacks from regular site users or external threat actors without prior access.
What happens after a file is uploaded?
If an executable file (such as a PHP web shell) is uploaded to a web-accessible directory, an attacker can access and execute it via HTTP requests, achieving remote code execution. The server would run code under the web server process privileges, potentially allowing data theft, site defacement, malware distribution, or lateral movement within the network.
Is there a temporary workaround if I can't patch immediately?
Restrict WordPress administrator role to absolutely essential, trusted personnel only. Enforce strong, unique passwords and enable two-factor authentication on all admin accounts. Disable the MDJM plugin if it is not actively in use. Monitor admin login logs and file uploads closely. These steps reduce risk but are not a substitute for patching.
How do I know what version of MDJM I am running?
In WordPress admin, navigate to Plugins, find MDJM Event Management, and check the version number listed. You can also inspect the readme.txt file in the plugin's directory or check the WordPress plugin repository page for MDJM directly.
This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publish date. Patch versions, KEV status, and exploit availability may change. Organizations should verify patch availability and compatibility with their specific WordPress environment and plugin versions before deployment. SEC.co makes no warranty regarding the completeness or accuracy of derived remediation steps and recommends consultation with your vendor and internal security teams. Always test patches in non-production environments first. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25409HIGHSIM-PKH 2.4.1 Arbitrary File Upload Leading to Remote Code Execution
- CVE-2026-10072HIGHDreamMaker Arbitrary File Upload RCE Vulnerability
- CVE-2026-11344HIGHUnrestricted File Upload in code-projects Vehicle Management System 1.0
- CVE-2026-11419HIGHAltium Enterprise Server Path Traversal – Arbitrary File Write
- CVE-2026-30761HIGHSourceBans Material Admin Arbitrary File Upload RCE Vulnerability
- CVE-2026-39292HIGHPHPPageBuilder Remote Code Execution via Unrestricted File Upload
- CVE-2026-46392HIGHHAX CMS PHP Case-Insensitive File Upload XSS Bypass