平台
wordpress
组件
simple-event-attendance
修复版本
1.5.1
CVE-2026-1983 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the SEATT: Simple Event Attendance plugin for WordPress. This flaw allows unauthenticated attackers to delete events if they can manipulate an administrator into performing a forged request. The vulnerability impacts versions 1.0.0 through 1.5.0, and a patch is available in version 1.5.1.
An attacker exploiting this CSRF vulnerability can leverage a malicious link or script to trigger event deletion on a WordPress site. This could lead to data loss, disruption of event schedules, and potential reputational damage. The attacker needs to trick an authenticated administrator into clicking the malicious link, which could be achieved through phishing or social engineering tactics. The blast radius is limited to the events managed by the SEATT plugin and accessible to the administrator targeted by the attack.
This vulnerability was publicly disclosed on 2026-02-14. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score reflects the requirement for administrator interaction to trigger the exploit.
WordPress websites using the SEATT: Simple Event Attendance plugin, particularly those with shared hosting environments or where administrators are susceptible to phishing attacks, are at risk. Sites with legacy WordPress configurations or those lacking robust security practices are also more vulnerable.
• wordpress / composer / npm:
grep -r 'SEATT: Simple Event Attendance' /var/www/html/wp-content/plugins/
wp plugin list | grep 'SEATT: Simple Event Attendance'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=seatt_delete_event&event_id=1 | grep 'CSRF token'disclosure
漏洞利用状态
EPSS
0.01% (2% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-1983 is to immediately upgrade the SEATT: Simple Event Attendance plugin to version 1.5.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the event deletion endpoint with missing or invalid CSRF tokens. Additionally, educate administrators about the risks of clicking on suspicious links and verify the authenticity of requests before performing actions. After upgrading, confirm the fix by attempting to delete an event via a crafted request – it should be rejected.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-1983 is a Cross-Site Request Forgery (CSRF) vulnerability in the SEATT: Simple Event Attendance WordPress plugin, allowing attackers to delete events if they can trick an administrator. It affects versions 1.0.0–1.5.0.
Yes, if your WordPress site uses the SEATT: Simple Event Attendance plugin in versions 1.0.0 through 1.5.0, you are vulnerable to this CSRF attack.
Upgrade the SEATT: Simple Event Attendance plugin to version 1.5.1 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
There are currently no confirmed reports of active exploitation of CVE-2026-1983, but the vulnerability is publicly known.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information regarding CVE-2026-1983.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。