Description
The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack
Published: 2026-03-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of scheduled events by an authenticated admin through a CSRF exploit
Action: Immediate Patch
AI Analysis

Impact

The Court Reservation WordPress plugin version 1.10.9 and earlier lacks a CSRF check when an administrator deletes an event, allowing an attacker to generate a crafted request that causes the admin to remove events unintentionally. This flaw can lead to loss of booking data and disruption of service availability for users. The weakness is a classic CSRF violation, categorized as CWE‑352.

Affected Systems

The vulnerability affects the Court Reservation plugin from an unknown vendor, specifically any installation running a version prior to 1.10.9. No other plugins or core WordPress versions are mentioned in the report.

Risk and Exploitability

With a CVSS score of 4.3 the risk is moderate, and the EPSS score is below 1% indicating a low likelihood of exploitation in the current period. The flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires an attacker to coerce a logged‑in administrator into visiting a malicious link or loading a malicious page that triggers the deletion action, which means the threat vector is a straightforward CSRF attack.

Generated by OpenCVE AI on April 16, 2026 at 09:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin update (v1.10.9 or newer) to remove the CSRF oversight.
  • If updating immediately is not possible, implement a CSRF nonce or token on the event deletion form and enforce its validation on the server side.
  • Restrict administrative privileges and enable two‑factor authentication for admin accounts to reduce the chance that a compromised or hijacked session can execute unintended deletions.
  • Monitor WordPress audit logs for unexpected event deletion events and review user activity regularly.

Generated by OpenCVE AI on April 16, 2026 at 09:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Court Reservation
Court Reservation court Reservation
Wordpress
Wordpress wordpress
Vendors & Products Court Reservation
Court Reservation court Reservation
Wordpress
Wordpress wordpress

Tue, 10 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack
Title Court Reservation < 1.10.9 - Event Deletion via CSRF
References

Subscriptions

Court Reservation Court Reservation
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-03-10T12:58:58.315Z

Reserved: 2026-01-27T20:42:36.100Z

Link: CVE-2026-1508

cve-icon Vulnrichment

Updated: 2026-03-10T12:58:42.865Z

cve-icon NVD

Status : Deferred

Published: 2026-03-10T17:32:18.333

Modified: 2026-04-15T14:42:29.303

Link: CVE-2026-1508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses