Platform
wordpress
Component
simple-event-attendance
Fixed in
1.5.1
CVE-2026-1983 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the SEATT: Simple Event Attendance plugin for WordPress. This flaw allows unauthenticated attackers to delete events if they can manipulate an administrator into performing a forged request. The vulnerability impacts versions 1.0.0 through 1.5.0, and a patch is available in version 1.5.1.
An attacker exploiting this CSRF vulnerability can leverage a malicious link or script to trigger event deletion on a WordPress site. This could lead to data loss, disruption of event schedules, and potential reputational damage. The attacker needs to trick an authenticated administrator into clicking the malicious link, which could be achieved through phishing or social engineering tactics. The blast radius is limited to the events managed by the SEATT plugin and accessible to the administrator targeted by the attack.
This vulnerability was publicly disclosed on 2026-02-14. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score reflects the requirement for administrator interaction to trigger the exploit.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1983 is to immediately upgrade the SEATT: Simple Event Attendance plugin to version 1.5.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the event deletion endpoint with missing or invalid CSRF tokens. Additionally, educate administrators about the risks of clicking on suspicious links and verify the authenticity of requests before performing actions. After upgrading, confirm the fix by attempting to delete an event via a crafted request – it should be rejected.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1983 is a Cross-Site Request Forgery (CSRF) vulnerability in the SEATT: Simple Event Attendance WordPress plugin, allowing attackers to delete events if they can trick an administrator. It affects versions 1.0.0–1.5.0.
Yes, if your WordPress site uses the SEATT: Simple Event Attendance plugin in versions 1.0.0 through 1.5.0, you are vulnerable to this CSRF attack.
Upgrade the SEATT: Simple Event Attendance plugin to version 1.5.1 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
There are currently no confirmed reports of active exploitation of CVE-2026-1983, but the vulnerability is publicly known.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information regarding CVE-2026-1983.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.