CVE-2026-7537: MDJM Event Management WordPress Plugin Arbitrary File Upload

Overview

A critical file upload vulnerability has been identified in the MDJM Event Management plugin for WordPress, tracked as CVE-2026-7537. The flaw allows authenticated attackers with subscriber-level access or higher to upload arbitrary files to the web server, potentially enabling remote code execution.

The vulnerability was published to the National Vulnerability Database (NVD) on June 6, 2026, and carries a CVSS v3 base score of 7.2 (High).

Technical Details

The vulnerability exists in the mdjm_send_comm_email function, which handles communication email functionality within the plugin. The function performs no validation of uploaded file types, extensions, or MIME types before processing files.

This means an attacker can upload files with dangerous extensions — including PHP web shells — that could be executed server-side if placed in a web-accessible directory.

Detail	Value
CVE ID	CVE-2026-7537
CVSS Score	7.2 (High)
Attack Vector	Network
Authentication Required	Yes (Subscriber+)
Affected Versions	≤ 1.7.8.3
Vulnerable Function	`mdjm_send_comm_email`

Impact

Successful exploitation of this vulnerability could allow an attacker to:

Upload PHP web shells or other malicious executables to the server
Achieve remote code execution (RCE) on the underlying host
Pivot laterally within the hosting environment
Exfiltrate sensitive data from the WordPress database or filesystem
Establish persistent backdoor access

Affected Software

Plugin: MDJM Event Management for WordPress
Affected versions: All versions up to and including 1.7.8.3
Platform: WordPress

Remediation

WordPress site administrators running the MDJM Event Management plugin should take the following steps immediately:

Update the plugin to the latest available version that addresses this vulnerability
Review uploaded files in WordPress media and plugin directories for suspicious content
Restrict plugin usage to trusted users only until a patch is confirmed applied
Implement a Web Application Firewall (WAF) to detect and block malicious file upload attempts
Audit user roles to minimize the number of accounts with subscriber-level access or higher

If an update is not yet available, consider disabling the plugin until a patched version is released.

References

Overview

The vulnerability was published to the National Vulnerability Database (NVD) on June 6, 2026, and carries a CVSS v3 base score of 7.2 (High).

Technical Details

This means an attacker can upload files with dangerous extensions — including PHP web shells — that could be executed server-side if placed in a web-accessible directory.

Detail	Value
CVE ID	CVE-2026-7537
CVSS Score	7.2 (High)
Attack Vector	Network
Authentication Required	Yes (Subscriber+)
Affected Versions	≤ 1.7.8.3
Vulnerable Function	`mdjm_send_comm_email`

Impact

Successful exploitation of this vulnerability could allow an attacker to:

Upload PHP web shells or other malicious executables to the server

Achieve remote code execution (RCE) on the underlying host

Pivot laterally within the hosting environment

Exfiltrate sensitive data from the WordPress database or filesystem

Establish persistent backdoor access

Remediation

WordPress site administrators running the MDJM Event Management plugin should take the following steps immediately:

Update the plugin to the latest available version that addresses this vulnerability

Review uploaded files in WordPress media and plugin directories for suspicious content

Restrict plugin usage to trusted users only until a patch is confirmed applied

Implement a Web Application Firewall (WAF) to detect and block malicious file upload attempts

Audit user roles to minimize the number of accounts with subscriber-level access or higher

If an update is not yet available, consider disabling the plugin until a patched version is released.

Affected Products

Overview

Technical Details

Impact

Affected Software

Remediation

References

CVE-2026-9851: WordPress Booking Package Plugin Privilege Escalation via Account Takeover

CVE-2026-7459: WordPress Simple History Plugin Account Takeover

CVE-2026-9757: GEO my WP Plugin SQL Injection via Query String Bypass

CVE-2026-7537: MDJM Event Management WordPress Plugin Arbitrary File Upload

Affected Products

Overview

Technical Details

Impact

Affected Software

Remediation

References

CVE-2026-9851: WordPress Booking Package Plugin Privilege Escalation via Account Takeover

CVE-2026-7459: WordPress Simple History Plugin Account Takeover

CVE-2026-9757: GEO my WP Plugin SQL Injection via Query String Bypass