Description
The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX deletion handlers: vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item, and settings_cfmw_d_catalog. None of these handlers call check_ajax_referer() or wp_verify_nonce(), nor do they perform any capability checks via current_user_can(). This makes it possible for unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs via a forged request, provided they can trick a logged-in user into performing an action such as clicking a link to a malicious page.
Published: 2026-04-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Data Deletion via CSRF
Action: Apply Fix
AI Analysis

Impact

The CMS für Motorrad Werkstätten plugin contains eight AJAX deletion handlers that lack any nonce verification or permission checks. As a result, an unauthenticated attacker can force any logged‑in user to delete vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs by sending a crafted request. This flaw can compromise integrity and availability of the data managed by the plugin, and it represents a classic Cross‑Site Request Forgery vulnerability classified as CWE‑352.

Affected Systems

WordPress installations using the CMS für Motorrad Werkstätten plugin version 1.0.0 or earlier are affected. The plugin is distributed by tholstkabelbwde under the product name "CMS für Motorrad Werkstätten" and the vulnerability applies to all instances of the 1.0.0 release and any lower revisions.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.3, indicating moderate severity. No EPSS figure is available, and the flaw is not currently listed in the CISA KEV catalog. Likely attack requires an attacker to deliver a forged request to a logged‑in user—typically by hosting a malicious page that contains the AJAX endpoint URL—so that the user unknowingly submits a delete operation. Because no authentication is required for the attacker, and the plugin does not protect the handlers, the exploit path is straightforward and the risk to sites running the affected plugin is moderate.

Generated by OpenCVE AI on April 17, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CMS für Motorrad Werkstätten plugin to a version newer than 1.0.0, which must include nonce validation and capability checks on all deletion handlers.
  • If an update is not yet available, modify the plugin’s delete callbacks to call check_ajax_referer() and current_user_can() before proceeding, or wrap them in a custom secure AJAX hook that performs these verifications.
  • As a temporary workaround, block or delete the eight AJAX deletion actions (e.g., via a .htaccess rule or by disabling the plugin) so that no deletion requests can be processed until a patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-catalogs.php#L88 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-contacts.php#L93 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-positions.php#L119 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-receipts.php#L92 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-settings.php#L191 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-stock.php#L101 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-suppliers.php#L108 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-vehicles.php#L100 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-vehicles.php#L98 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-catalogs.php#L88 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-contacts.php#L93 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-positions.php#L119 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-receipts.php#L92 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-settings.php#L191 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-stock.php#L101 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-suppliers.php#L108 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-vehicles.php#L100 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-vehicles.php#L98 cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/6895a774-7e78-4ab2-a2b3-2a333f258778?source=cve cve-icon cve-icon
History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Tholstkabelbwde
Tholstkabelbwde plugin: Cms Für Motorrad Werkstätten
Wordpress
Wordpress wordpress
Vendors & Products Tholstkabelbwde
Tholstkabelbwde plugin: Cms Für Motorrad Werkstätten
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Description The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX deletion handlers: vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item, and settings_cfmw_d_catalog. None of these handlers call check_ajax_referer() or wp_verify_nonce(), nor do they perform any capability checks via current_user_can(). This makes it possible for unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs via a forged request, provided they can trick a logged-in user into performing an action such as clicking a link to a malicious page.
Title CMS für Motorrad Werkstätten <= 1.0.0 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Tholstkabelbwde Plugin: Cms Für Motorrad Werkstätten
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T14:21:59.771Z

Reserved: 2026-04-16T19:38:56.791Z

Link: CVE-2026-6451

cve-icon Vulnrichment

Updated: 2026-04-17T14:21:47.858Z

cve-icon NVD

Status : Received

Published: 2026-04-17T08:16:18.243

Modified: 2026-04-17T08:16:18.243

Link: CVE-2026-6451

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:35:28Z

Weaknesses