CVE-2026-6451
Received Received - Intake
CSRF Vulnerability in WordPress cms-fuer-motorrad-werkstaetten Plugin Allows Data Deletion

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: Wordfence

Description
The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX deletion handlers: vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item, and settings_cfmw_d_catalog. None of these handlers call check_ajax_referer() or wp_verify_nonce(), nor do they perform any capability checks via current_user_can(). This makes it possible for unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs via a forged request, provided they can trick a logged-in user into performing an action such as clicking a link to a malicious page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6451
EUVD
EUVD-2026-23390
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cms-fuer-motorrad-werkstaetten plugin to 1.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The cms-fuer-motorrad-werkstaetten plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.0.0. This occurs because the plugin's eight AJAX deletion handlers do not perform nonce validation or capability checks. Specifically, they do not call the WordPress functions check_ajax_referer() or wp_verify_nonce(), nor do they verify user permissions with current_user_can().

As a result, an attacker can trick a logged-in user into executing unwanted actions, such as deleting vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs by sending a forged request.

Impact Analysis

This vulnerability allows an attacker to delete important data within the plugin without proper authorization. If a logged-in user is tricked into clicking a malicious link, the attacker can delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs.

The impact includes loss of data integrity and potential disruption of business operations that rely on this data. However, the vulnerability does not allow for data confidentiality breaches or denial of service.

Mitigation Strategies

To mitigate this vulnerability, you should update or patch the cms-fuer-motorrad-werkstaetten WordPress plugin to a version later than 1.0.0 where nonce validation and capability checks are properly implemented.

If an update is not immediately available, restrict access to the affected AJAX deletion handlers and avoid clicking on suspicious links that could trigger forged requests.

Additionally, consider implementing custom nonce validation and capability checks in the plugin code to prevent unauthorized deletion actions.

Compliance Impact

The vulnerability allows unauthenticated attackers to delete arbitrary data such as vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs by exploiting missing nonce validation and capability checks in the plugin's AJAX deletion handlers.

This unauthorized deletion of data could potentially impact compliance with standards and regulations like GDPR or HIPAA, which require protection of data integrity and prevention of unauthorized data modification or deletion.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6451. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart