CVE-2026-1983 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the SEATT: Simple Event Attendance plugin for WordPress, affecting all versions up to and including 1.5.0. The vulnerability stems from the absence of nonce validation on the event deletion endpoint, a critical security control designed to ensure that requests originate from legitimate users and not from forged sources. Because of this missing validation, an attacker can craft a malicious link or webpage that, when visited by an administrator logged into the WordPress backend, triggers the deletion of arbitrary events without their explicit consent. The attack does not require the attacker to be authenticated but does require the administrator to interact with the malicious content (e.g., clicking a link). The vulnerability impacts the integrity of event data by enabling unauthorized deletion but does not affect confidentiality or availability. The CVSS 3.1 base score of 4.3 reflects a network attack vector with low complexity, no privileges required, and user interaction necessary. No patches or exploit code are currently publicly available, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-352, which covers CSRF weaknesses. The plugin is used to manage event attendance, so the deletion of events could disrupt organizational event management and record-keeping.

The primary impact of this vulnerability is the unauthorized deletion of event data, which compromises data integrity within affected WordPress sites using the SEATT plugin. For organizations relying on this plugin to manage events, such as educational institutions, community groups, or businesses, this could lead to loss of critical event records, scheduling confusion, and potential reputational damage. While confidentiality and availability are not directly impacted, the integrity breach could disrupt operations and require administrative overhead to restore deleted events. Since exploitation requires an administrator to be tricked into clicking a malicious link, the attack vector is limited but still significant, especially in environments where administrators may be targeted via phishing or social engineering. The lack of known exploits reduces immediate risk, but the vulnerability remains a concern until patched. Organizations with high event management dependency or large user bases are more vulnerable to operational disruption.

To mitigate this vulnerability, organizations should first update the SEATT: Simple Event Attendance plugin to a version that includes proper nonce validation on event deletion requests once available. Until a patch is released, administrators should be trained to recognize and avoid clicking suspicious links, especially those received via email or untrusted websites. Implementing web application firewalls (WAFs) with rules to detect and block CSRF attack patterns can provide additional protection. Site administrators should enforce the principle of least privilege, limiting the number of users with event deletion rights. Additionally, enabling multi-factor authentication (MFA) for WordPress admin accounts can reduce the risk of session hijacking that could facilitate exploitation. Regular backups of event data should be maintained to allow recovery in case of unauthorized deletions. Monitoring logs for unusual deletion activity can help detect attempted exploitation early.