CVE-2026-6451 is a CSRF vulnerability in the tholstkabelbwde WordPress plugin 'CMS für Motorrad Werkstätten' affecting versions up to 1.0.0. The issue stems from the absence of nonce validation (no calls to check_ajax_referer() or wp_verify_nonce()) and missing capability checks (no current_user_can() calls) in eight AJAX deletion handlers. This allows attackers to craft forged requests that, when executed by an authenticated user, can delete critical data entities managed by the plugin. The vulnerability is classified under CWE-352 and has a CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), reflecting a network attack vector with low complexity and requiring user interaction but no privileges. No patch or official remediation has been published as of the data provided.

Successful exploitation can lead to unauthorized deletion of various data types within the plugin, including vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, and supplier catalogs. This results in integrity loss of the affected data but does not impact confidentiality or availability. The attack requires a logged-in user to be tricked into performing an action, such as clicking a malicious link, and does not require attacker privileges.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider restricting access to the plugin's AJAX handlers, implementing custom nonce and capability checks if possible, or disabling the plugin if feasible. Monitoring for suspicious user activity related to data deletion may help detect exploitation attempts.