{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6451", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-16T19:38:56.791Z", "datePublished": "2026-04-17T07:45:57.242Z", "dateUpdated": "2026-04-17T07:45:57.242Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T07:45:57.242Z"}, "affected": [{"vendor": "tholstkabelbwde", "product": "Plugin: CMS f\u00fcr Motorrad Werkst\u00e4tten", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX deletion handlers: vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item, and settings_cfmw_d_catalog. None of these handlers call check_ajax_referer() or wp_verify_nonce(), nor do they perform any capability checks via current_user_can(). This makes it possible for unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs via a forged request, provided they can trick a logged-in user into performing an action such as clicking a link to a malicious page."}], "title": "CMS f\u00fcr Motorrad Werkst\u00e4tten <= 1.0.0 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6895a774-7e78-4ab2-a2b3-2a333f258778?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-vehicles.php#L98"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-vehicles.php#L98"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-contacts.php#L93"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-contacts.php#L93"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-suppliers.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-suppliers.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-receipts.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-receipts.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-positions.php#L119"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-positions.php#L119"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-catalogs.php#L88"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-catalogs.php#L88"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-stock.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-stock.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-settings.php#L191"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-settings.php#L191"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-vehicles.php#L100"}, {"url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-vehicles.php#L100"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "R\u00e9gis SENET"}], "timeline": [{"time": "2026-04-16T19:39:37.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX deletion handlers: vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item, and settings_cfmw_d_catalog. None of these handlers call check_ajax_referer() or wp_verify_nonce(), nor do they perform any capability checks via current_user_can(). This makes it possible for unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs via a forged request, provided they can trick a logged-in user into performing an action such as clicking a link to a malicious page."}], "id": "CVE-2026-6451", "lastModified": "2026-04-17T08:16:18.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T08:16:18.243", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-catalogs.php#L88"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-contacts.php#L93"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-positions.php#L119"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-receipts.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-settings.php#L191"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-stock.php#L101"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-suppliers.php#L108"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-vehicles.php#L100"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-vehicles.php#L98"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-catalogs.php#L88"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-contacts.php#L93"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-positions.php#L119"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-receipts.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-settings.php#L191"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-stock.php#L101"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-suppliers.php#L108"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-vehicles.php#L100"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-vehicles.php#L98"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6895a774-7e78-4ab2-a2b3-2a333f258778?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T09:21:10.461534+00:00", "value": {"mitigation_remediation": ["Upgrade the CMS f\u00fcr Motorrad Werkst\u00e4tten plugin to a version newer than 1.0.0, which must include nonce validation and capability checks on all deletion handlers.", "If an update is not yet available, modify the plugin\u2019s delete callbacks to call check_ajax_referer() and current_user_can() before proceeding, or wrap them in a custom secure AJAX hook that performs these verifications.", "As a temporary workaround, block or delete the eight AJAX deletion actions (e.g., via a .htaccess rule or by disabling the plugin) so that no deletion requests can be processed until a patch is applied."], "summary": {"action": "Apply Fix", "impact": "Unauthenticated Data Deletion via CSRF"}, "threat_synthesis": {"affected_systems": "WordPress installations using the CMS f\u00fcr Motorrad Werkst\u00e4tten plugin version\u202f1.0.0 or earlier are affected. The plugin is distributed by tholstkabelbwde under the product name \"CMS f\u00fcr Motorrad Werkst\u00e4tten\" and the vulnerability applies to all instances of the 1.0.0 release and any lower revisions.", "description_and_impact": "The CMS f\u00fcr Motorrad Werkst\u00e4tten plugin contains eight AJAX deletion handlers that lack any nonce verification or permission checks. As a result, an unauthenticated attacker can force any logged\u2011in user to delete vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs by sending a crafted request. This flaw can compromise integrity and availability of the data managed by the plugin, and it represents a classic Cross\u2011Site Request Forgery vulnerability classified as CWE\u2011352.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 4.3, indicating moderate severity. No EPSS figure is available, and the flaw is not currently listed in the CISA KEV catalog. Likely attack requires an attacker to deliver a forged request to a logged\u2011in user\u2014typically by hosting a malicious page that contains the AJAX endpoint URL\u2014so that the user unknowingly submits a delete operation. Because no authentication is required for the attacker, and the plugin does not protect the handlers, the exploit path is straightforward and the risk to sites running the affected plugin is moderate."}}}}, "created": "2026-04-17T09:30:14.468618+00:00", "updated": "2026-04-17T09:30:14.468630+00:00", "vendors": []}