An arbitrary file upload vulnerability in the MDJM Event Management WordPress plugin, tracked as CVE-2026-7537 (CVSS 7.2), allows authenticated attackers with administrator access to upload arbitrary files — including PHP webshells — to the server. All versions up to and including 1.7.8.3 are affected.
What Is the Vulnerability?
CVE-2026-7537 is an unrestricted file upload vulnerability (CWE-434) in the mdjm_send_comm_email function. The function performs no file type validation, no extension checking, and no MIME type verification on uploaded files. An attacker with administrator-level access can upload any file type — including PHP scripts — to the server, which can then be executed to achieve remote code execution.
While administrator access is required, this vulnerability remains dangerous: if admin credentials are compromised through credential theft, phishing, or another vulnerability, this provides a direct path to server compromise. It can also be chained with privilege escalation vulnerabilities that provide lower-level access.
- CVSS v3.1 Score: 7.2 (High)
- CWE: CWE-434 (Unrestricted Upload of File with Dangerous Type)
- Privileges Required: Administrator
Which Versions Are Affected?
- MDJM Event Management: all versions up to and including 1.7.8.3
Is It Being Exploited in the Wild?
No active exploitation has been publicly confirmed.
What Is the Fix?
Update MDJM Event Management to a version beyond 1.7.8.3. The fix adds file type and extension validation to the upload function.
Recommendations
Update MDJM Event Management. Unrestricted file upload is always a critical capability. Apply the update and audit the uploads directory for unexpected PHP files.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 7, 2026.
