CVE-2026-1508
CSRF Vulnerability in Court Reservation Plugin Allows Admin Event Deletion
Publication date: 2026-03-10
Last updated on: 2026-03-10
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpdevart | court_reservation | to 1.10.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-1508 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin "Court Reservation" versions prior to 1.10.9.'}, {'type': 'paragraph', 'content': 'The plugin does not have proper CSRF protection when deleting events, which means an attacker can trick a logged-in administrator into unintentionally deleting events by exploiting this flaw.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-352 and falls under the OWASP Top 10 category A2: Broken Authentication and Session Management.'}] [1]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can cause a logged-in administrator to unknowingly delete important events from the Court Reservation plugin.
This could lead to loss of critical event data, disruption of service, and potential administrative confusion or operational issues within the affected WordPress site.
Since the attack requires the administrator to be logged in, it targets the session management and trust of authenticated users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is related to the Court Reservation WordPress plugin versions prior to 1.10.9 lacking CSRF protection when deleting events. Detection typically involves verifying the plugin version installed on your WordPress site.'}, {'type': 'paragraph', 'content': 'You can check the installed version of the Court Reservation plugin via the WordPress admin dashboard or by running commands on the server hosting WordPress.'}, {'type': 'list_item', 'content': 'Use WP-CLI to check the plugin version: wp plugin list | grep court-reservation'}, {'type': 'list_item', 'content': "Manually inspect the plugin's main file (usually in wp-content/plugins/court-reservation/) for version information."}, {'type': 'paragraph', 'content': 'Since this is a CSRF vulnerability, network detection is difficult without monitoring for suspicious POST requests that delete events. There are no specific commands provided to detect CSRF attacks directly.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Court Reservation WordPress plugin to version 1.10.9 or later, where the CSRF vulnerability has been fixed.
Until the update can be applied, consider restricting administrative access to trusted users only and avoid clicking on suspicious links while logged in as an administrator.
Implement additional security measures such as enabling a Web Application Firewall (WAF) that can help block CSRF attack attempts.