Plattform
wordpress
Komponente
simple-event-attendance
Behoben in
1.5.1
CVE-2026-1983 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the SEATT: Simple Event Attendance plugin for WordPress. This flaw allows unauthenticated attackers to delete events if they can manipulate an administrator into performing a forged request. The vulnerability impacts versions 1.0.0 through 1.5.0, and a patch is available in version 1.5.1.
An attacker exploiting this CSRF vulnerability can leverage a malicious link or script to trigger event deletion on a WordPress site. This could lead to data loss, disruption of event schedules, and potential reputational damage. The attacker needs to trick an authenticated administrator into clicking the malicious link, which could be achieved through phishing or social engineering tactics. The blast radius is limited to the events managed by the SEATT plugin and accessible to the administrator targeted by the attack.
This vulnerability was publicly disclosed on 2026-02-14. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score reflects the requirement for administrator interaction to trigger the exploit.
WordPress websites using the SEATT: Simple Event Attendance plugin, particularly those with shared hosting environments or where administrators are susceptible to phishing attacks, are at risk. Sites with legacy WordPress configurations or those lacking robust security practices are also more vulnerable.
• wordpress / composer / npm:
grep -r 'SEATT: Simple Event Attendance' /var/www/html/wp-content/plugins/
wp plugin list | grep 'SEATT: Simple Event Attendance'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=seatt_delete_event&event_id=1 | grep 'CSRF token'disclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-1983 is to immediately upgrade the SEATT: Simple Event Attendance plugin to version 1.5.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the event deletion endpoint with missing or invalid CSRF tokens. Additionally, educate administrators about the risks of clicking on suspicious links and verify the authenticity of requests before performing actions. After upgrading, confirm the fix by attempting to delete an event via a crafted request – it should be rejected.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability im Detail und setzen Sie Mitigationen basierend auf der Risikobereitschaft Ihrer Organisation ein. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-1983 is a Cross-Site Request Forgery (CSRF) vulnerability in the SEATT: Simple Event Attendance WordPress plugin, allowing attackers to delete events if they can trick an administrator. It affects versions 1.0.0–1.5.0.
Yes, if your WordPress site uses the SEATT: Simple Event Attendance plugin in versions 1.0.0 through 1.5.0, you are vulnerable to this CSRF attack.
Upgrade the SEATT: Simple Event Attendance plugin to version 1.5.1 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
There are currently no confirmed reports of active exploitation of CVE-2026-1983, but the vulnerability is publicly known.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information regarding CVE-2026-1983.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.