Attack Vectors
CVE-2026-1650 affects the MDJM Event Management WordPress plugin (slug: mobile-dj-manager) in versions up to and including 1.7.8.1. The severity is Medium (CVSS 5.3), and it can be exploited over the network with no login required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
In practical terms, an unauthenticated attacker can send a crafted request that triggers deletion of custom event fields by supplying the delete_custom_field and id parameters. Because the issue stems from a missing authorization (capability) check in the plugin’s custom_fields_controller function, the attacker does not need a valid account to attempt the change.
Security Weakness
The core weakness is missing authorization: the plugin does not properly verify that the requester has permission to delete custom event fields. This is a classic access-control gap, where an action intended for administrators or authorized staff can be invoked by anyone on the internet.
Because this vulnerability enables unauthorized data modification (integrity impact) rather than data theft, it may not immediately trigger typical “breach” alarms. However, for marketing, operations, and compliance teams, silent unauthorized changes can be just as damaging to business outcomes and reporting accuracy.
Technical or Business Impacts
Operational disruption: Custom event fields often capture critical booking details, service options, deposits, timelines, and client preferences. If those fields are deleted, teams may lose structure in workflows and data collection, increasing back-and-forth with customers and raising the risk of delivery mistakes.
Revenue and brand impact: Inconsistent or missing event information can lead to misquoted packages, scheduling errors, and poor customer experiences—issues that can directly affect conversion rates, upsell opportunities, and reviews.
Reporting and compliance risk: If custom fields are used for internal controls (e.g., consent flags, special requirements, or contract-related notes), unauthorized deletion can weaken audit trails and complicate compliance documentation.
Recommended remediation: Update MDJM Event Management to version 1.7.8.2 or a newer patched release. After updating, review recent changes to event custom fields to confirm nothing was removed unexpectedly and consider tightening access to administrative endpoints as part of standard WordPress hardening.
Similar Attacks
Missing authorization checks are a common cause of real-world WordPress incidents, where attackers change or delete data without needing an account. Examples of similar categories of attacks include:
CVE-2023-2732 (WooCommerce Payments) — unauthenticated account takeover via authorization weakness
Recent Comments