CVE-2026-1508
Received Received - Intake
CSRF Vulnerability in Court Reservation Plugin Allows Admin Event Deletion

Publication date: 2026-03-10

Last updated on: 2026-03-10

Assigner: WPScan

Description
The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1508
EUVD
EUVD-2026-10474
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpdevart court_reservation to 1.10.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-1508 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin "Court Reservation" versions prior to 1.10.9.'}, {'type': 'paragraph', 'content': 'The plugin does not have proper CSRF protection when deleting events, which means an attacker can trick a logged-in administrator into unintentionally deleting events by exploiting this flaw.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-352 and falls under the OWASP Top 10 category A2: Broken Authentication and Session Management.'}] [1]

Impact Analysis

An attacker exploiting this vulnerability can cause a logged-in administrator to unknowingly delete important events from the Court Reservation plugin.

This could lead to loss of critical event data, disruption of service, and potential administrative confusion or operational issues within the affected WordPress site.

Since the attack requires the administrator to be logged in, it targets the session management and trust of authenticated users.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is related to the Court Reservation WordPress plugin versions prior to 1.10.9 lacking CSRF protection when deleting events. Detection typically involves verifying the plugin version installed on your WordPress site.'}, {'type': 'paragraph', 'content': 'You can check the installed version of the Court Reservation plugin via the WordPress admin dashboard or by running commands on the server hosting WordPress.'}, {'type': 'list_item', 'content': 'Use WP-CLI to check the plugin version: wp plugin list | grep court-reservation'}, {'type': 'list_item', 'content': "Manually inspect the plugin's main file (usually in wp-content/plugins/court-reservation/) for version information."}, {'type': 'paragraph', 'content': 'Since this is a CSRF vulnerability, network detection is difficult without monitoring for suspicious POST requests that delete events. There are no specific commands provided to detect CSRF attacks directly.'}] [1]

Mitigation Strategies

The primary mitigation step is to update the Court Reservation WordPress plugin to version 1.10.9 or later, where the CSRF vulnerability has been fixed.

Until the update can be applied, consider restricting administrative access to trusted users only and avoid clicking on suspicious links while logged in as an administrator.

Implement additional security measures such as enabling a Web Application Firewall (WAF) that can help block CSRF attack attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1508. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart