cms-fuer-motorrad-werkstaetten Plugin Vulnerability (CVE-2026-6451)

Security Alert Summary

The cms-fuer-motorrad-werkstaetten WordPress plugin contains multiple AJAX deletion handlers that lack nonce verification and capability checks. This allows an attacker who can get a logged-in user to perform a malicious action (for example, click a crafted link) to trigger deletion requests for various resources managed by the plugin.

CVE Details

• CVE ID: CVE-2026-6451
• Affected component: cms-fuer-motorrad-werkstaetten WordPress plugin
• Affected versions: versions up to and including 1.0.0
• Published: April 17, 2026 at 8:16:18 AM UTC
• Last modified: April 17, 2026 at 8:16:18 AM UTC
• CVSS v3.1: Base Score 4.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
• Authentication / Privileges / User interaction:
  • Authentication required: No
  • Privileges required: None
  • User interaction: Required
  • Attack Vector: Network
  • Attack Complexity: Low
  • Scope: Unchanged
• Primary impact:
  • Confidentiality: None
  • Integrity: Low (unauthorized deletion of plugin-managed items)
  • Availability: None
• Weakness (CWE): CWE-352 (Cross-Site Request Forgery)

Technical Details

This vulnerability is a Cross-Site Request Forgery (CSRF) caused by missing nonce validation and missing capability checks in the plugin’s AJAX deletion handlers. The following AJAX handlers are affected: vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item, and settings_cfmw_d_catalog.

None of these handlers call check_ajax_referer() or wp_verify_nonce(), and none perform capability checks via current_user_can(). Because of these missing checks, the handlers will process deletion requests without verifying the origin of the request or the privileges of the requester. An attacker can craft a request that, if performed by a logged-in user (for example by visiting a malicious page or clicking a link), will delete the corresponding item.

How This Could Impact Your Website

In a typical small business WordPress site using this plugin, several user roles may interact with plugin-managed data: the site owner or administrator, internal staff who manage inventory or contacts, and external contributors or contractors who may have editor or contributor access. If a staff member who is authenticated in the WordPress admin visits a malicious page while logged in, an attacker could cause the site to process deletion requests that remove vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs.

Practical consequences include loss of business records (for example vehicle or receipt entries), disruption to inventory data, and exposure to targeted social engineering if contact lists are modified or selectively deleted. These impacts align with the CVSS integrity impact (Low) rather than full site takeover.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributors and other accounts that can perform actions while authenticated.
• Enforce strong passwords and enable two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from your site.
• Monitor site activity and logs for unusual deletion events or unexpected changes to plugin-managed data.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-catalogs.php#L88
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-contacts.php#L93
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-positions.php#L119
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-receipts.php#L92
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-settings.php#L191
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-stock.php#L101
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-suppliers.php#L108
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-vehicles.php#L100
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-vehicles.php#L98
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-catalogs.php#L88
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-contacts.php#L93
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-positions.php#L119
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-receipts.php#L92
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-settings.php#L191
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-stock.php#L101
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-suppliers.php#L108
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-vehicles.php#L100
• https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-vehicles.php#L98
• https://www.wordfence.com/threat-intel/vulnerabilities/id/6895a774-7e78-4ab2-a2b3-2a333f258778?source=cve