MDJM Event Management Missing Authorization Vulnerability Allowing Unauthenticated Custom Field Deletion
Vulnerability
A vulnerability exists in the MDJM Event Management plugin for WordPress, in all versions through 1.7.8.1. The issue arises from a missing capability check in the 'custom_fields_controller' function, which allows unauthenticated users to delete arbitrary custom event fields. This exploitation is achieved by manipulating the 'delete_custom_field' and 'id' parameters.
Impact
Exploitation of this vulnerability allows for unauthorized deletion of custom event fields, potentially leading to loss of important event data.
Reproduction
To reproduce this vulnerability, send a request to the 'custom_fields_controller' function without the necessary authorization. Include the 'delete_custom_field' and 'id' parameters to specify which custom event field to delete. The absence of a capability check allows this action to be performed by unauthenticated users.
Remediation
Users are advised to update the MDJM Event Management plugin to version 1.7.8.2 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.