CVE-2026-6451 [Medium] | CSRF in Versions Up To And Includ…

The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX deletion handlers: vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item, and settings_cfmw_d_catalog. None of these handlers call check_ajax_referer() or wp_verify_nonce(), nor do they perform any capability checks via current_user_can(). This makes it possible for unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs via a forged request, provided they can trick a logged-in user into performing an action such as clicking a link to a malicious page.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.01%	0.22%	+0.22%
2	2026-04-17	—	0.01%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.01%

0.22%

+0.22%

2026-04-17

—

0.01%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.3	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	2.8	1.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

4.3

3.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

2.8

1.4

[email protected]

Affected software / configurations for CVE-2026-6451

Vendor	Product	Version	Raw CPE
No affected products in dataset.

URL	Tags
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-catalogs.php#L88
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-contacts.php#L93
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-positions.php#L119
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-receipts.php#L92
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-settings.php#L191
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-stock.php#L101
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-suppliers.php#L108
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-vehicles.php#L100
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/tags/1.0.0/includes/cfmw-vehicles.php#L98
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-catalogs.php#L88
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-contacts.php#L93
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-positions.php#L119
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-receipts.php#L92
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-settings.php#L191
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-stock.php#L101
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-suppliers.php#L108
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-vehicles.php#L100
https://plugins.trac.wordpress.org/browser/cms-fuer-motorrad-werkstaetten/trunk/includes/cfmw-vehicles.php#L98
https://www.wordfence.com/threat-intel/vulnerabilities/id/6895a774-7e78-4ab2-a2b3-2a333f258778?source=cve

URL

CVE-2026-6451 | CMS für Motorrad Werkstätten <= 1.0.0 - Cross-Site Request Forgery

Exploit prediction scoring system (EPSS) score for CVE-2026-6451

Common vulnerability scoring system (CVSS) metrics for CVE-2026-6451

Weakness enumeration for CVE-2026-6451

GitHub Security Advisory for CVE-2026-6451

Affected software / configurations for CVE-2026-6451

References for CVE-2026-6451