CVE-2026-1650 in MDJM Event Management Plugin
Summary
by MITRE • 03/07/2026
The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/08/2026
The MDJM Event Management plugin for WordPress presents a critical security vulnerability through the absence of proper capability validation within its custom fields controller functionality. This flaw exists in all plugin versions up to and including 1.7.8.1, creating an exploitable condition that allows unauthenticated attackers to manipulate event data without proper authorization. The vulnerability specifically affects the 'custom_fields_controller' function which fails to verify user permissions before executing destructive operations on custom event fields.
The technical implementation of this vulnerability stems from a missing capability check that should validate whether the requesting user possesses adequate privileges to perform deletion operations on custom event fields. Attackers can exploit this weakness by crafting malicious requests that target the 'delete_custom_field' endpoint with specific 'id' parameters. Since no authentication or authorization verification occurs, any remote attacker can execute these deletion commands against arbitrary custom fields within the event management system. This represents a direct violation of the principle of least privilege and demonstrates a fundamental flaw in the plugin's access control mechanisms.
The operational impact of this vulnerability extends beyond simple data loss, as it allows attackers to systematically dismantle event management configurations that may contain critical scheduling information, vendor details, or other business-critical data. Unauthenticated deletion of custom fields can disrupt event planning workflows, potentially causing operational downtime for event management systems that rely on these customized data structures. The vulnerability affects the integrity and availability of event management data, creating potential business disruption and compliance issues for organizations using this plugin. Organizations may face reputational damage if event data becomes corrupted or lost due to unauthorized modifications.
Security mitigations for this vulnerability should begin with immediate patching to version 1.7.8.2 or later, which contains the necessary capability checks. System administrators should also implement network-level restrictions to limit access to the affected endpoints and consider monitoring for unusual deletion patterns in event management systems. The vulnerability aligns with CWE-863, which addresses incorrect authorization scenarios, and maps to ATT&CK technique T1485, representing data manipulation through unauthorized access. Organizations should conduct comprehensive audits of their WordPress installations to identify other plugins with similar authorization flaws and establish robust monitoring procedures for custom field modifications. Additionally, implementing proper input validation and output encoding practices can help prevent similar vulnerabilities in future development cycles while maintaining the integrity of event management data structures.