CVE-2026-1983 in SEATT Plugin
Summary
by MITRE • 02/14/2026
The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to delete arbitrary events via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/20/2026
The SEATT Simple Event Attendance plugin for WordPress presents a critical cross-site request forgery vulnerability that affects all versions up to and including 1.5.0. This vulnerability stems from the absence of proper nonce validation within the event deletion functionality, creating a significant security gap that adversaries can exploit to manipulate event data without authentication. The flaw represents a direct violation of web application security principles and falls under the CWE-352 category for Cross-Site Request Forgery, which is classified as a fundamental web security weakness that has been consistently documented in the OWASP Top Ten as a critical risk.
The technical implementation of this vulnerability allows unauthenticated attackers to craft malicious requests that can delete events from the WordPress site's database. When an administrator performs actions such as clicking on a malicious link or visiting a compromised webpage, the forged request can execute the delete operation without proper authorization checks. This occurs because the plugin fails to validate the authenticity of the request origin through nonce tokens, which are standard security mechanisms designed to prevent unauthorized actions from being executed on behalf of authenticated users. The absence of this validation mechanism creates a pathway for attackers to manipulate event data and potentially disrupt the functionality of event management systems that rely on the plugin.
The operational impact of this vulnerability extends beyond simple data deletion, as it can compromise the integrity and availability of event-related information within WordPress installations. Attackers could potentially delete critical events, disrupt event registration processes, or manipulate attendance records, leading to significant operational disruptions for organizations that depend on accurate event management. This vulnerability particularly affects organizations that rely on WordPress for event management and attendance tracking, as it could result in data loss, service disruption, and potential reputational damage. The attack vector requires social engineering to trick administrators into performing malicious actions, but once successful, it provides attackers with the ability to modify event data without requiring authentication credentials.
Organizations using the affected plugin should immediately implement mitigations to address this vulnerability. The most effective approach involves updating to the latest version of the plugin where nonce validation has been properly implemented, which aligns with the ATT&CK technique T1213 for Data from Information Repositories. Additionally, administrators should consider implementing additional security measures such as restricting administrative privileges, monitoring for unusual deletion activities, and ensuring that all users are aware of the risks associated with clicking on untrusted links. The vulnerability also highlights the importance of proper input validation and authentication checks in web applications, as outlined in the OWASP Secure Coding Practices and the NIST Cybersecurity Framework. Organizations should also review their overall security posture and implement defense-in-depth strategies to prevent similar vulnerabilities from occurring in other components of their WordPress installations.