Skip to main content

WordPress CVE-2026-6451

| EUVDEUVD-2026-23390 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-17 Wordfence GHSA-8mf7-m4px-v9qq
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 17, 2026 - 08:22 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 08:15 euvd
EUVD-2026-23390
Analysis Generated
Apr 17, 2026 - 08:15 vuln.today
CVE Published
Apr 17, 2026 - 07:45 nvd
MEDIUM 4.3

DescriptionCVE.org

The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX deletion handlers: vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item, and settings_cfmw_d_catalog. None of these handlers call check_ajax_referer() or wp_verify_nonce(), nor do they perform any capability checks via current_user_can(). This makes it possible for unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs via a forged request, provided they can trick a logged-in user into performing an action such as clicking a link to a malicious page.

AnalysisAI

Cross-Site Request Forgery (CSRF) in the cms-fuer-motorrad-werkstaetten WordPress plugin version 1.0.0 and earlier allows unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, and supplier catalogs by tricking logged-in users into clicking a malicious link. Eight AJAX handlers lack nonce validation and capability checks, enabling direct data destruction without authentication or authorization verification. User interaction is required (UI:R), limiting the attack to social engineering scenarios rather than direct network exploitation.

Technical ContextAI

The vulnerability exists in the WordPress plugin architecture where AJAX handlers (add_action with 'wp_ajax_*' hooks) are not properly secured. WordPress provides two primary defense mechanisms: wp_verify_nonce() for CSRF token validation and current_user_can() for role-based capability checks. The affected plugin registers eight AJAX deletion handlers across multiple modules (vehicles, contacts, suppliers, receipts, positions, catalogs, stock items) that execute database deletion operations without either mechanism. When a logged-in WordPress user (identified by session cookie) visits an attacker-controlled page containing a crafted form or JavaScript that triggers one of these AJAX endpoints, the user's browser automatically includes their authenticated session cookies, allowing the malicious request to execute with that user's privileges. This is a classic CSRF attack leveraging the stateless nature of AJAX requests combined with WordPress's cookie-based session management.

RemediationAI

Update the cms-fuer-motorrad-werkstaetten plugin to a patched version if released by the developer; check the WordPress plugin repository or contact the developer at tholstkabelbwde for availability. As an immediate mitigation, disable the plugin entirely until a security update is available (action: deactivate and remove plugin, side effect: motorcycle workshop management features become unavailable). If continued operation is required, implement Web Application Firewall (WAF) rules blocking requests to the vulnerable AJAX endpoints (vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item, settings_cfmw_d_catalog) from external sources, though this requires identifying legitimate internal traffic patterns and may block legitimate administrators. Restrict WordPress admin access to trusted IP address ranges only, reducing the attack surface by limiting which systems can host vulnerable sessions. Educate administrators never to click external links while logged into WordPress, though this is a weak compensating control relying on human behavior.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-6451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy