CVE-2026-6451
CSRF Vulnerability in WordPress cms-fuer-motorrad-werkstaetten Plugin Allows Data Deletion
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cms-fuer-motorrad-werkstaetten | plugin | to 1.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The cms-fuer-motorrad-werkstaetten plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.0.0. This occurs because the plugin's eight AJAX deletion handlers do not perform nonce validation or capability checks. Specifically, they do not call the WordPress functions check_ajax_referer() or wp_verify_nonce(), nor do they verify user permissions with current_user_can().
As a result, an attacker can trick a logged-in user into executing unwanted actions, such as deleting vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs by sending a forged request.
How can this vulnerability impact me? :
This vulnerability allows an attacker to delete important data within the plugin without proper authorization. If a logged-in user is tricked into clicking a malicious link, the attacker can delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs.
The impact includes loss of data integrity and potential disruption of business operations that rely on this data. However, the vulnerability does not allow for data confidentiality breaches or denial of service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update or patch the cms-fuer-motorrad-werkstaetten WordPress plugin to a version later than 1.0.0 where nonce validation and capability checks are properly implemented.
If an update is not immediately available, restrict access to the affected AJAX deletion handlers and avoid clicking on suspicious links that could trigger forged requests.
Additionally, consider implementing custom nonce validation and capability checks in the plugin code to prevent unauthorized deletion actions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to delete arbitrary data such as vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs by exploiting missing nonce validation and capability checks in the plugin's AJAX deletion handlers.
This unauthorized deletion of data could potentially impact compliance with standards and regulations like GDPR or HIPAA, which require protection of data integrity and prevention of unauthorized data modification or deletion.
However, the provided information does not explicitly describe the direct impact on compliance with these regulations.