CVE-2026-1508

Vulnerability

Overview

The Court Reservation WordPress plugin, versions prior to versions prior to 1.10.9, fails to include a Cross-Site Request Forgery (CSRF) check in the event deletion functionality. This means that when an administrator performs a delete action, the plugin does not verify that the request was intentionally made by the admin, rather than being forged by an attacker [1].

Exploitation

An attacker can exploit this by crafting a malicious link or form that, when visited by a logged-in administrator, triggers an event deletion request to the WordPress site. The attack requires social engineering to make the admin interact with the crafted content, but no additional authentication is needed beyond the admin's existing session [1].

Impact

Successful exploitation allows an attacker to delete events on the site without authorization. This could disrupt scheduled bookings or cause data loss, depending on how the site uses the Court Reservation plugin [1]. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and has a CVSS v3 score of 4.3 (Medium) [1].

Mitigation

The issue is fixed in version 1.10.9 of the plugin. Users are strongly advised to update to this version or later to protect against CSRF attacks on event deletion [1]. No workaround is provided in the advisory.