CVE-2026-6451

Name of the Vulnerable Software and Affected Versions cms-fuer-motorrad-werkstaetten versions prior to 1.0.1

Description The cms-fuer-motorrad-werkstaetten plugin for WordPress is susceptible to Cross-Site Request Forgery. This occurs because eight AJAX deletion handlers lack nonce validation and do not perform capability checks via current user can(). The affected handlers are 'vehicles cfmw d vehicle', 'contacts cfmw d contact', 'suppliers cfmw d supplier', 'receipts cfmw d receipt', 'positions cfmw d position', 'catalogs cfmw d article', 'stock cfmw d item', and 'settings cfmw d catalog'. Consequently, unauthenticated attackers can delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs by tricking a logged-in user into clicking a malicious link.

Recommendations Update to a version later than 1.0.0.