| CVE ID | CVE-2026-6674 |
|---|---|
| Type | SQL Injection |
| Affected Component | WordPress Plugin CMS für Motorrad Werkstätten <= 1.0.0 |
| Vulnerable Parameter | arttype |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVSS Score | 6.5 — Medium |
| Publicly Published | April 20, 2026 |
| Last Updated | April 20, 2026 |
| Discovered by | Seckhmet |
| Required Access Level | Authenticated — Subscriber and above |
| Patch Available | No — no known patch available |
A SQL Injection vulnerability was identified in the WordPress plugin CMS für Motorrad Werkstätten in all versions up to and including 1.0.0.
The flaw stems from insufficient escaping of the user-supplied arttype parameter,
combined with a lack of sufficient preparation on the existing SQL queries. This makes it possible
for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries
into already existing queries that can be used to extract sensitive information from the database.
No patch is currently available. It is recommended to uninstall the plugin and find a maintained alternative. If the plugin must remain active, restrict user registrations on the WordPress site to limit Subscriber-level access to the vulnerable features.
For developers wishing to fix the issue, all SQL queries must use
prepared statements ($wpdb->prepare()) and user-supplied parameters
must be properly escaped before use in any query.