Description
The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to delete arbitrary events via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Published: 2026-02-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery that permits deletion of any event
Action: Update Now
AI Analysis

Impact

The Simple Event Attendance plugin for WordPress contains a CSRF vulnerability in all releases up to version 1.5.0. The flaw results from the event deletion handler failing to validate a WordPress nonce, which allows an attacker to craft a link or form that an administrator might click while authenticated. If exploited, the attacker can delete any event record on the site, causing data loss and disruption of scheduled activities.

Affected Systems

This issue affects the SEATT Simple Event Attendance plugin distributed by sourcez. All installations running an unpatched copy of the plugin, specifically versions 1.5.0 and earlier, are vulnerable. No specific patch level or sub‑version control was identified in the CVE report. Administrators should ensure that they are not using these affected releases.

Risk and Exploitability

The CVSS score of 4.3 places the vulnerability in the medium range. The EPSS score is below 1 %, indicating a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack requires social engineering to persuade an administrator to click a forged link, limiting the realistic threat window. Nevertheless, the potential for accidental or intentional loss of event data warrants proactive mitigation.

Generated by OpenCVE AI on April 15, 2026 at 17:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SEATT Simple Event Attendance to any version newer than 1.5.0.
  • If an upgrade is not immediately possible, ensure that all event deletion requests are protected by a WordPress nonce and handled only via POST, restricting access to authenticated administrators.
  • Apply a web application firewall rule or plugin that blocks unexpected GET requests to the deletion endpoint and logs suspicious activity.

Generated by OpenCVE AI on April 15, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcez
Sourcez seatt: Simple Event Attendance
Wordpress
Wordpress wordpress
Vendors & Products Sourcez
Sourcez seatt: Simple Event Attendance
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 04:45:00 +0000

Type Values Removed Values Added
Description The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to delete arbitrary events via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Title SEATT: Simple Event Attendance <= 1.5.0 - Cross-Site Request Forgery to Arbitrary Event Deletion
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Sourcez Seatt: Simple Event Attendance
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:18.071Z

Reserved: 2026-02-05T14:45:19.212Z

Link: CVE-2026-1983

cve-icon Vulnrichment

Updated: 2026-02-18T18:49:09.333Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T05:16:20.140

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses