Cross-Site Request Forgery Vulnerability in cms-fuer-motorrad-werkstaetten Plugin by WordPress
CVE-2026-6451

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Plugin: Cms Für Motorrad Werkstätten
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-6451?

The cms-fuer-motorrad-werkstaetten plugin for WordPress contains a Cross-Site Request Forgery vulnerability that affects versions up to 1.0.0. This issue arises from a lack of nonce validation across eight AJAX deletion handlers, allowing unauthenticated attackers to impersonate logged-in users. Without proper nonce validation, malicious users could execute deletion requests for various entities, including vehicles, contacts, and suppliers, by tricking users into visiting a specially crafted link. The absence of capability checks further exacerbates this security flaw, making it critically important for users to update their plugins to prevent potential unauthorized data deletions.

Affected Version(s)

Plugin: CMS für Motorrad Werkstätten 0 <= 1.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cms-fuer-motor...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Régis SENET

CVE-2026-6451 Data

JSON