The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.
The MDJM Event Management WordPress plugin versions up to 1.7.8.3 contains an arbitrary file upload vulnerability in the mdjm_send_comm_email function that lacks file type validation. Authenticated administrators can upload executable files leading to remote code execution on affected WordPress installations.
إضافة MDJM Event Management في WordPress تحتوي على ثغرة تحميل ملفات تعسفية في دالة mdjm_send_comm_email بسبب عدم التحقق من نوع الملف أو الامتداد أو نوع MIME. يمكن للمسؤولين المصرح لهم تحميل ملفات قابلة للتنفيذ مما يؤدي إلى تنفيذ أكواد بعيدة على خوادم WordPress.
MDJM Event Management plugin for WordPress up to version 1.7.8.3 is vulnerable to arbitrary file upload through mdjm_send_comm_email function due to missing file validation. Administrators can upload malicious executable files enabling remote code execution on WordPress sites.
Update MDJM Event Management plugin to version 1.7.8.4 or later immediately. Implement strict file upload validation including file type, extension, and MIME type checks. Restrict file upload permissions to trusted administrators only and store uploads outside web root. Monitor WordPress admin accounts for unauthorized access.
قم بتحديث إضافة MDJM Event Management إلى الإصدار 1.7.8.4 أو أحدث فوراً. طبق التحقق الصارم من تحميل الملفات بما في ذلك نوع الملف والامتداد والنوع MIME. قيد صلاحيات تحميل الملفات للمسؤولين الموثوقين فقط وخزن التحميلات خارج جذر الويب. راقب حسابات مسؤولي WordPress للوصول غير المصرح.