PatchSiren cyber security CVE debrief
CVE-2026-7537 mdjm CVE debrief
The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.
- Vendor
- mdjm
- Product
- MDJM Event Management
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Users of the MDJM Event Management plugin for WordPress, particularly those with administrator-level access and above, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload due to a lack of file type, extension, or MIME type validation in the mdjm_send_comm_email function. This allows authenticated attackers with administrator-level access to upload potentially executable files, leading to remote code execution.
Defensive priority
HIGH
Recommended defensive actions
- Update the MDJM Event Management plugin to a version that includes a fix for this vulnerability.
- Restrict access to the plugin's functionality to only trusted users.
- Monitor for suspicious activity related to file uploads.
Evidence notes
The CVE-2026-7537 record was published on 2026-06-06T04:17:32.107Z and modified on 2026-06-08T14:57:14.757Z. The vulnerability has a CVSS score of 7.2 and is classified as HIGH severity.
Official resources
CVE-2026-7537 was published on 2026-06-06T04:17:32.107Z and modified on 2026-06-08T14:57:14.757Z.