CVE-2026-6451
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Author Request), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX deletion handlers: vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item, and settings_cfmw_d_catalog. None of these handlers call check_ajax_referer() or wp_verify_nonce(), nor do they perform any capability checks via current_user_can(). This makes it possible for unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs via a forged request, provided they can trick a logged-in user into performing an action such as clicking a link to a malicious page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=1.0.0
Patches
Vulnerability mechanics
References
19- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-catalogs.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-contacts.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-positions.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-receipts.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-settings.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-stock.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-suppliers.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-vehicles.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-vehicles.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-catalogs.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-contacts.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-positions.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-receipts.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-settings.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-stock.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-suppliers.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-vehicles.phpnvd
- plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-vehicles.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/6895a774-7e78-4ab2-a2b3-2a333f258778nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026