Exploit for CVE-2026-7537

Name: Exploit for CVE-2026-7537
Rating: 5 (5 reviews)
2026-04-30 | CVSS 7.2
## https://sploitus.com/exploit?id=8FD393D5-318F-5D5A-BACC-E24BE8C327B1
# MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter

The WordPress [MDJM Event Management](https://wordpress.org/plugins/mobile-dj-manager/) plugin (version 1.7.8.3 and prior) contains an arbitrary file upload vulnerability that allows authenticated administrators to upload malicious PHP files to the server, potentially leading to remote code execution.


## TL;DR Exploits

A POC [CVE-2026-7537.py](./CVE-2026-7537.py) is provided to demonstrate an authenticated attacker uploading shell.php and executing remote code:
```
python3 ./CVE-2026-7537.py http://target-site.com admin password123
[+] Logging into: http://target-site.com/wp-admin
[+] Extracting nonce values...
[+] Uploading web shell: shell.php
[+] Web Shell Location: http://target-site.com/wp-content/uploads/2026/02/shell.php
[+]
[+] Executing test command: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```


## Technical Description

The vulnerability exists in the `mdjm_send_comm_email()` function in the communications feature. The upload functionality lacks proper file validation while processing file attachments for email communications. This allows authenticated users with the `mdjm_comms_send` capability (administrators and MDJM admins by default) to upload arbitrary files, including PHP files that can be executed on the server.

### Attack Path Analysis

**Source**: User input from `$_FILES['mdjm_email_upload_file']`
**Sink**: `move_uploaded_file($tmp_path, $file_path)` at [comms-functions.php#L248](https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/communications/comms-functions.php#L248)

The vulnerability occurs because:

1. **Route Registration**: The communications form is accessible to users with the `send_comms` capability via [comms-functions.php#L24](https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/communications/comms-functions.php#L24).
2. **Capability Check**: The `mdjm_comms_send` capability is granted to users with `manage_mdjm` permission via [class-mdjm-permissions.php#L626](https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/roles/class-mdjm-permissions.php#L626).
3. **Default Role Permissions**: The DJ role ([class-mdjm-roles.php#L97-L104](https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/roles/class-mdjm-roles.php#L97)) does NOT have `mdjm_comms_send` by default - only admins do.
4. **Action Processing**: Form submissions are processed through the `mdjm_process_actions()` function at [admin-actions.php#L26](https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/admin-actions.php#L26).
5. **Handler Invocation**: The action triggers the `mdjm_send_comm_email()` function registered at [comms-functions.php#L300](https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/communications/comms-functions.php#L300).
6. **Nonce Verification**: While CSRF protection exists via nonce verification at [comms-functions.php#L235](https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/communications/comms-functions.php#L235), no file validation follows.
7. **Input Processing**: User-controlled file data from `$_FILES['mdjm_email_upload_file']` is directly processed without validation at [comms-functions.php#L241-L251](https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/communications/comms-functions.php#L241).
8. **File Handling**: Filename is taken directly from user input with no sanitization or extension validation.
9. **File Storage**: Files are saved to WordPress uploads directory (`/wp-content/uploads/YYYY/MM/`) using `move_uploaded_file()` with no security checks.

### Vulnerable Code Location

**File**: [includes/admin/communications/comms-functions.php#L241-L251](https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/communications/comms-functions.php#L241)

```php
if ( isset( $_FILES['mdjm_email_upload_file'] ) && '' !== $_FILES['mdjm_email_upload_file']['name'] ) {
    $upload_dir = wp_upload_dir();

    $file_name = $_FILES['mdjm_email_upload_file']['name']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated
    $file_path = $upload_dir['path'] . '/' . $file_name;
    $tmp_path  = $_FILES['mdjm_email_upload_file']['tmp_name']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated

    if ( move_uploaded_file( $tmp_path, $file_path ) ) {
        $attachments[] = $file_path;
    }
}
```