| CVE ID | CVE-2026-6451 |
|---|---|
| Type | Cross-Site Request Forgery (CSRF) |
| Affected Component | WordPress Plugin CMS für Motorrad Werkstätten <= 1.0.0 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
| CVSS Score | 4.3 — Medium |
| Publicly Published | April 16, 2026 |
| Last Updated | April 17, 2026 |
| Discovered by | Seckhmet |
| Patch Available | No — no known patch available |
A Cross-Site Request Forgery (CSRF) vulnerability was identified in the WordPress plugin CMS für Motorrad Werkstätten in all versions up to and including 1.0.0.
The flaw stems from missing nonce validation on all eight AJAX deletion handlers of the plugin:
vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier,
receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article,
stock_cfmw_d_item, and settings_cfmw_d_catalog.
None of these handlers call check_ajax_referer() or wp_verify_nonce(),
nor do they perform any capability checks via current_user_can().
This makes it possible for unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs via a forged request, provided they can trick a logged-in user into performing an action such as clicking a link to a malicious page.
No patch is currently available. It is recommended to uninstall the plugin and find a maintained alternative. If the plugin must remain active, restrict access to the affected AJAX endpoints and educate administrator users about phishing risks.
For developers wishing to fix the issue, each AJAX handler must call
check_ajax_referer() and verify permissions with current_user_can()
before performing any deletion operation.