MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via mdjm_email_upload_file Parameter

CVE-2026-7537

The WordPress MDJM Event Management plugin (version 1.7.8.3 and prior) contains an arbitrary file upload vulnerability that allows authenticated administrators to upload malicious PHP files to the server, potentially leading to remote code execution.

TL;DR Exploits

A POC CVE-2026-7537.py is provided to demonstrate an authenticated attacker uploading shell.php and executing remote code:

python3 ./CVE-2026-7537.py http://target-site.com admin password123
[+] Logging into: http://target-site.com/wp-admin
[+] Extracting nonce values...
[+] Uploading web shell: shell.php
[+] Web Shell Location: http://target-site.com/wp-content/uploads/2026/02/shell.php
[+]
[+] Executing test command: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Technical Description

The vulnerability exists in the mdjm_send_comm_email() function in the communications feature. The upload functionality lacks proper file validation while processing file attachments for email communications. This allows authenticated users with the mdjm_comms_send capability (administrators and MDJM admins by default) to upload arbitrary files, including PHP files that can be executed on the server.

Attack Path Analysis

Source: User input from $_FILES['mdjm_email_upload_file'] Sink: move_uploaded_file($tmp_path, $file_path) at comms-functions.php#L248

The vulnerability occurs because:

1. Route Registration: The communications form is accessible to users with the send_comms capability via comms-functions.php#L24.
2. Capability Check: The mdjm_comms_send capability is granted to users with manage_mdjm permission via class-mdjm-permissions.php#L626.
3. Default Role Permissions: The DJ role (class-mdjm-roles.php#L97-L104) does NOT have mdjm_comms_send by default - only admins do.
4. Action Processing: Form submissions are processed through the mdjm_process_actions() function at admin-actions.php#L26.
5. Handler Invocation: The action triggers the mdjm_send_comm_email() function registered at comms-functions.php#L300.
6. Nonce Verification: While CSRF protection exists via nonce verification at comms-functions.php#L235, no file validation follows.
7. Input Processing: User-controlled file data from $_FILES['mdjm_email_upload_file'] is directly processed without validation at comms-functions.php#L241-L251.
8. File Handling: Filename is taken directly from user input with no sanitization or extension validation.
9. File Storage: Files are saved to WordPress uploads directory (/wp-content/uploads/YYYY/MM/) using move_uploaded_file() with no security checks.

Vulnerable Code Location

File: includes/admin/communications/comms-functions.php#L241-L251

if ( isset( $_FILES['mdjm_email_upload_file'] ) && '' !== $_FILES['mdjm_email_upload_file']['name'] ) {
    $upload_dir = wp_upload_dir();

    $file_name = $_FILES['mdjm_email_upload_file']['name']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated
    $file_path = $upload_dir['path'] . '/' . $file_name;
    $tmp_path  = $_FILES['mdjm_email_upload_file']['tmp_name']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated

    if ( move_uploaded_file( $tmp_path, $file_path ) ) {
        $attachments[] = $file_path;
    }
}