CVE-2026-1650 is a vulnerability identified in the MDJM Event Management plugin for WordPress, affecting all versions up to and including 1.7.8.1. The root cause is a missing authorization check (CWE-862) in the 'custom_fields_controller' function, which handles operations on custom event fields. Specifically, the plugin fails to verify user capabilities before processing requests to delete custom fields, exposing the 'delete_custom_field' and 'id' parameters to unauthenticated HTTP requests. As a result, an attacker can remotely invoke these parameters to delete arbitrary custom event fields without any authentication or user interaction. This unauthorized modification compromises the integrity of event data managed by the plugin but does not affect confidentiality or availability. The vulnerability is remotely exploitable over the network with low attack complexity and no privileges required. Although no public exploits have been reported yet, the vulnerability's presence in a widely used WordPress plugin makes it a notable risk. The CVSS v3.1 base score of 5.3 reflects a medium severity, driven by the ease of exploitation and integrity impact. No official patches or updates have been linked yet, so users must monitor vendor advisories closely.

The primary impact of CVE-2026-1650 is unauthorized integrity modification of event data within WordPress sites using the MDJM Event Management plugin. Attackers can delete custom event fields, potentially disrupting event management workflows, causing data loss, and undermining trust in event information. While confidentiality and availability remain unaffected, the integrity breach could lead to operational issues, misinformation, and administrative overhead to restore data. Organizations relying on this plugin for critical event scheduling or public-facing event information may experience reputational damage or operational disruption. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad, increasing the risk of opportunistic attacks. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability becomes widely known.

To mitigate CVE-2026-1650, organizations should first check for and apply any official patches or updates released by the MDJM plugin developers as soon as they become available. In the absence of patches, administrators can implement the following specific mitigations: 1) Restrict access to the WordPress REST API endpoints or AJAX handlers associated with the 'custom_fields_controller' function using web application firewall (WAF) rules or server-level access controls to block unauthenticated requests targeting the 'delete_custom_field' and 'id' parameters. 2) Employ WordPress security plugins that enforce capability checks or monitor unauthorized changes to plugin data. 3) Regularly audit and back up event data to enable recovery from unauthorized deletions. 4) Monitor web server and application logs for suspicious requests attempting to invoke deletion operations without authentication. 5) Consider temporarily disabling or replacing the MDJM Event Management plugin with alternative solutions until a secure version is available. These targeted actions go beyond generic advice by focusing on access control and monitoring specific to the vulnerable functionality.