{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1650", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-29T19:07:23.727Z", "datePublished": "2026-03-07T01:21:23.469Z", "dateUpdated": "2026-04-08T17:23:25.055Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:25.055Z"}, "affected": [{"vendor": "mdjm", "product": "MDJM Event Management", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.8.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters."}], "title": "MDJM Event Management <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb309336-5b35-45cf-9c58-4bb75d8a5cba?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/pages/event-fields.php#L100"}, {"url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/tags/1.7.7/includes/admin/pages/event-fields.php#L100"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3464190%40mobile-dj-manager&new=3464190%40mobile-dj-manager&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-01-30T17:24:15.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-06T11:57:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:12:40.645220Z", "id": "CVE-2026-1650", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:33:34.252Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1650", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T19:12:40.645220Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:12:41.743Z"}}], "cna": {"title": "MDJM Event Management <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "mdjm", "product": "MDJM Event Management", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7.8.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-30T17:24:15.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-06T11:57:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb309336-5b35-45cf-9c58-4bb75d8a5cba?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/pages/event-fields.php#L100"}, {"url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/tags/1.7.7/includes/admin/pages/event-fields.php#L100"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3464190%40mobile-dj-manager&new=3464190%40mobile-dj-manager&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:25.055Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1650", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:23:25.055Z", "dateReserved": "2026-01-29T19:07:23.727Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-07T01:21:23.469Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters."}, {"lang": "es", "value": "El plugin MDJM Event Management para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n 'custom_fields_controller' en todas las versiones hasta la 1.7.8.1, inclusive. Esto hace posible que atacantes no autenticados eliminen campos de evento personalizados arbitrarios a trav\u00e9s de los par\u00e1metros 'delete_custom_field' e 'id'."}], "id": "CVE-2026-1650", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-07T02:16:11.720", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/tags/1.7.7/includes/admin/pages/event-fields.php#L100"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/pages/event-fields.php#L100"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3464190%40mobile-dj-manager&new=3464190%40mobile-dj-manager&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb309336-5b35-45cf-9c58-4bb75d8a5cba?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MDJM Event Management", "source": "cna", "vendor": "mdjm"}, "product": "mdjm_event_management", "vendor": "mdjm"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:49:22.559770+00:00", "value": {"mitigation_remediation": ["Check the vendor\u2019s website or plugin repository for an official update that restores the missing capability check.", "If an update is not immediately available, modify the plugin or implement a custom filter to enforce that only users with adequate capabilities (e.g., administrator) can trigger the delete_custom_field action.", "As a temporary measure, consider removing or disabling the delete link in the admin event\u2011field management interface for users who lack proper role assignments to reduce the attack surface."], "summary": {"action": "Assess and Patch", "impact": "Unauthorized Deletion of Custom Event Fields"}, "threat_synthesis": {"affected_systems": "All WordPress installations running MDJM Event Management plugin versions up to and including 1.7.8.1 are affected. The vulnerability is present in every release up to that point and impacts the plugin\u2019s administrative interface that manages custom event fields.", "description_and_impact": "The MDJM Event Management plugin for WordPress lacks a capability check in its custom_fields_controller function, enabling unauthenticated users to delete any custom event field using the delete_custom_field and id parameters. This flaw permits arbitrary data modification, potentially destroying or corrupting event information stored by the system. The weakness is classified as an Authorization Failure (CWE-862).", "risk_and_exploitability": "The CVSS base score of 5.3 indicates medium severity. EPSS reflects a very low probability of exploitation (<1%), and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is remote and unauthenticated, via HTTP requests to the plugin\u2019s event\u2011field controller endpoint, requiring no authentication credentials or elevated privileges."}}}}, "created": "2026-03-09T10:06:04.423842+00:00", "updated": "2026-04-15T18:00:15.464115+00:00", "vendors": ["mdjm", "mdjm$PRODUCT$mdjm_event_management", "wordpress", "wordpress$PRODUCT$wordpress"]}