CVE-2026-7537
Description
The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.
Affected products
2- Range: <=1.7.8.3
- Range: <=1.7.8.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The upload functionality lacks proper file validation, allowing arbitrary file uploads."
Attack vector
Authenticated attackers with administrator-level access can exploit this vulnerability. They can upload malicious PHP files to the server via the `mdjm_send_comm_email` function, which lacks file type, extension, or MIME type validation [ref_id=1]. This allows for remote code execution by uploading executable files [ref_id=1]. The vulnerability occurs because user-controlled file data is processed directly without validation [ref_id=2].
Affected code
The vulnerability exists within the `mdjm_send_comm_email()` function, located in `comms-functions.php`. The upload functionality within this function processes file attachments for email communications without adequate validation. Specifically, the `move_uploaded_file()` function at `comms-functions.php#L248` is called with user-controlled input from `$_FILES['mdjm_email_upload_file']` without prior sanitization or validation [ref_id=1].
What the fix does
The patch is not available in the provided bundle. The advisory recommends that users update to a version that addresses this vulnerability. Without a patch, the specific code changes are unknown, but the vulnerability is described as stemming from a lack of file validation in the `mdjm_send_comm_email` function [ref_id=1].
Preconditions
- authAttacker must have administrator-level access or equivalent privileges (e.g., `mdjm_comms_send` capability).
Reproduction
python3 ./CVE-2026-7537.py http://target-site.com admin password123 [+] Logging into: http://target-site.com/wp-admin [+] Extracting nonce values... [+] Uploading web shell: shell.php [+] Web Shell Location: http://target-site.com/wp-content/uploads/2026/02/shell.php [+] [+] Executing test command: id uid=33(www-data) gid=33(www-data) groups=33(www-data) [ref_id=1]
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- plugins.trac.wordpress.org/browser/mobile-dj-manager/tags/1.7.8.2/includes/admin/communications/comms-functions.phpnvd
- plugins.trac.wordpress.org/browser/mobile-dj-manager/tags/1.7.8.2/includes/admin/communications/comms-functions.phpnvd
- plugins.trac.wordpress.org/browser/mobile-dj-manager/tags/1.7.8.3/includes/admin/communications/comms-functions.phpnvd
- plugins.trac.wordpress.org/browser/mobile-dj-manager/tags/1.7.8.3/includes/admin/communications/comms-functions.phpnvd
- plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/communications/comms-functions.phpnvd
- plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/communications/comms-functions.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- ryankozak.com/posts/cve-2026-7537/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/42f37a41-deff-4b17-94d8-4e0fd1ce22c2nvd
News mentions
0No linked articles in our index yet.