CVE-2026-1650
Unauthorized Data Modification in MDJM Event Management Plugin
Publication date: 2026-03-07
Last updated on: 2026-03-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mdjm | mobile_dj_manager | to 1.7.8.1 (inc) |
| mdjm | mobile_dj_manager | 1.7.8.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability in the MDJM Event Management plugin for WordPress exists because the 'custom_fields_controller' function lacks a capability check in all versions up to and including 1.7.8.1. This allows unauthenticated attackers to delete arbitrary custom event fields by exploiting the 'delete_custom_field' and 'id' parameters without proper authorization."}, {'type': 'paragraph', 'content': 'Essentially, the plugin did not verify whether the user had permission to delete custom fields, nor did it verify security nonces to protect against unauthorized requests. This missing validation enables attackers to manipulate event-related data by deleting custom fields without logging in or having the necessary privileges.'}] [1, 2, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized and unauthenticated users to delete custom event fields in the Mobile DJ Manager plugin. Such deletion can lead to loss of important event-related data, potentially disrupting event management workflows.
Since the vulnerability permits arbitrary deletion of custom fields without permission checks, it could be exploited to tamper with or remove critical event metadata, which might affect event scheduling, client information, or venue details managed through the plugin.
The impact is limited to data integrity (Integrity impact) with no direct confidentiality or availability impact, as indicated by the CVSS score (5.3) and vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized deletion of custom event fields via HTTP GET requests with parameters `delete_custom_field` and `id` without proper authentication or nonce verification.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the vulnerable WordPress plugin endpoints that include these parameters.'}, {'type': 'list_item', 'content': 'Check your web server access logs for GET requests containing `delete_custom_field` and `id` parameters, for example using grep:'}, {'type': 'list_item', 'content': "grep -i 'delete_custom_field' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'delete_custom_field' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': 'Look for suspicious requests without valid nonce parameters (`_wpnonce`) or from unauthenticated IPs.'}, {'type': 'list_item', 'content': 'If you have access to the WordPress database, you can audit recent deletions of custom fields by checking the `wp_posts` table for posts of type `mdjm-custom-fields` that were deleted or missing.'}, {'type': 'list_item', 'content': 'Use WordPress debug logs (if enabled) to check for logged deletion actions related to custom fields.'}] [1, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to update the Mobile DJ Manager WordPress plugin to version 1.7.8.2 or later, which includes fixes for this vulnerability.'}, {'type': 'list_item', 'content': 'The update enforces nonce verification on deletion requests to ensure they are legitimate.'}, {'type': 'list_item', 'content': 'It also adds user capability checks requiring the `manage_mdjm` permission to perform deletion or modification of custom fields.'}, {'type': 'list_item', 'content': "If immediate update is not possible, restrict access to the plugin's admin pages and endpoints by IP or authentication to prevent unauthenticated requests."}, {'type': 'list_item', 'content': 'Monitor and block suspicious requests attempting to delete custom fields without valid nonces.'}, {'type': 'list_item', 'content': 'Consider temporarily disabling the plugin until the patch can be applied if the risk is high.'}] [1]