Das Plugin cms-fuer-motorrad-werkstaetten für WordPress ist anfällig für Cross-Site Request Forgery in Versionen bis einschließlich 1.0.0. Dies liegt an fehlender Nonce-Validierung bei allen acht AJAX-Löschhandlern: vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item und settings_cfmw_d_catalog. Keiner dieser Handler ruft check_ajax_referer() oder wp_verify_nonce() auf, noch führen sie

The primary impact of CVE-2026-6451 is the potential for unauthorized data deletion within the WordPress site using the cms-fuer-motorrad-werkstaetten plugin. An attacker could craft malicious links or scripts that, when clicked by an authenticated user, would trigger the deletion of vehicles, contacts, suppliers, receipts, positions, catalogs, stock items, or catalog settings. This could lead to significant data loss, disruption of business operations, and potential reputational damage. The lack of nonce validation and capability checks makes exploitation relatively straightforward, particularly if the attacker can trick a user into clicking a malicious link.

WordPress websites utilizing the cms-fuer-motorrad-werkstaetten plugin, particularly those running versions prior to the patched release, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise on one site could potentially be leveraged to attack others.

• wordpress / composer / npm:

grep -r 'vehicles_cfmw_d_vehicle|contacts_cfmw_d_contact|suppliers_cfmw_d_supplier|receipts_cfmw_d_receipt|positions_cfmw_d_position|catalogs_cfmw_d_article|stock_cfmw_d_item|settings_cfmw_d_catalog' /var/www/html/wp-content/plugins/cms-fuer-motorrad-werkstaetten/

• generic web:

curl -I https://example.com/wp-admin/admin-ajax.php?action=vehicles_cfmw_d_vehicle | grep -i '200 ok'

1. 2026-04-17Disclosure

   disclosure

1. Reserviert2026-04-16
2. Veröffentlicht2026-04-17
3. Geändert2026-04-22
4. EPSS aktualisiert2026-04-24

The primary mitigation for CVE-2026-6451 is to upgrade the cms-fuer-motorrad-werkstaetten plugin to a version that includes the necessary nonce validation and capability checks. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to the vulnerable AJAX endpoints (vehiclescfmwdvehicle, contactscfmwdcontact, supplierscfmwdsupplier, receiptscfmwdreceipt, positionscfmwdposition, catalogscfmwdarticle, stockcfmwditem, and settingscfmwdcatalog) that lack proper authentication. Additionally, restrict access to the plugin's administrative interface to trusted users only. After upgrading, confirm the fix by attempting to access the vulnerable endpoints while logged in as a standard user and verifying that the actions are denied.