How is CVE-2026-7537 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; the vulnerable endpoint is exposed via the standard HTTP interface. Authentication (required): An administrator-level account or higher is needed; a low-privilege account is not sufficient to reach the vulnerable upload function. Victim interaction (not-required): No user interaction is required; the attacker exercises the upload function directly without any social-engineering step. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond holding an admin credential.

What is the impact of CVE-2026-7537?

Attacker uploads and executes arbitrary server-side code, achieving full remote code execution on the WordPress host. All data accessible to the web server process is readable, including database credentials, configuration files, and stored user records. Attacker can write or overwrite files on the server, modifying plugin code, theme files, or other persisted content. The web server process can be crashed or monopolized, taking the WordPress site offline.

Back to search

HIGHCVE-2026-7537Published 2026-06-06Modified 2026-06-06CNA Wordfence

CVE-2026-7537: MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter

Q: What is CVE-2026-7537?

An arbitrary file upload vulnerability affects the MDJM Event Management WordPress plugin in all versions up to and including 1.7.8.3. The flaw is reachable over the network and requires an attacker to hold an administrator-level account, but once authenticated, the attacker can upload executable files through the mdjm_send_comm_email function because no file type, extension, or MIME type validation is enforced. Successful exploitation enables remote code execution on the host. No fix version has been published; HarborGuard tracks the advisory and will make a patched rebuild available the moment upstream ships a patch.

Q: Is CVE-2026-7537 patched?

Because no fix version has been published upstream, HarborGuard re-evaluates the MDJM Event Management advisory on every ingest cycle and will make a patched-image rebuild available as soon as the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file upload vulnerability affects the MDJM Event Management WordPress plugin in all versions up to and including 1.7.8.3. The flaw is reachable over the network and requires an attacker to hold an administrator-level account, but once authenticated, the attacker can upload executable files through the mdjm_send_comm_email function because no file type, extension, or MIME type validation is enforced. Successful exploitation enables remote code execution on the host. No fix version has been published; HarborGuard tracks the advisory and will make a patched rebuild available the moment upstream ships a patch.

HarborGuard Coverage

Detection

Detection for CVE-2026-7537 is available across every HarborGuard environment. Vulnerability data is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle this plugin, in both registry scans and active pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 7.2 (HIGH) and weighting that score against each customer environment's compliance policy. Triage routing to the appropriate team inbox within each customer organization is available automatically once the CVE is matched to an affected image.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the MDJM Event Management advisory on every ingest cycle and will make a patched-image rebuild available as soon as the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; the vulnerable endpoint is exposed via the standard HTTP interface.
AuthenticationRequired
An administrator-level account or higher is needed; a low-privilege account is not sufficient to reach the vulnerable upload function.
Victim interactionNot required
No user interaction is required; the attacker exercises the upload function directly without any social-engineering step.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond holding an admin credential.

Blast Radius

Attacker uploads and executes arbitrary server-side code, achieving full remote code execution on the WordPress host.
All data accessible to the web server process is readable, including database credentials, configuration files, and stored user records.
Attacker can write or overwrite files on the server, modifying plugin code, theme files, or other persisted content.
The web server process can be crashed or monopolized, taking the WordPress site offline.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-7537 is active across all environments scanning images that include MDJM Event Management 1.7.8.3 or earlier. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment the maintainer releases a remediated version. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will open automatically without manual intervention. In the interim, compensating controls available through container security policy include network-policy isolation to restrict inbound access to WordPress admin routes, egress filtering to limit the blast radius of any executed payload, and disabling the MDJM email attachment feature via plugin configuration or a WAF rule blocking uploads to the mdjm_send_comm_email handler.

See how HarborGuard automates this

Affected packages

mdjm / MDJM Event Management
≤ 1.7.8.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified