WordPress Plugin CMS für Motorrad Werkstätten Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the WordPress plugin 'CMS für Motorrad Werkstätten' in versions through 1.0.0. The vulnerability arises from inadequate nonce validation in eight AJAX deletion handlers. This oversight allows unauthenticated attackers to delete various records, including vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, and entire supplier catalogs, by tricking a logged-in user into interacting with a malicious link or page.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of critical data, including contacts, suppliers, and various inventory items, potentially disrupting business operations.

Reproduction

To reproduce this vulnerability, an attacker must exploit the missing nonce validation in the AJAX deletion handlers. This can be done by sending a forged request that impersonates a logged-in user, using a method that the application does not properly validate or verify. The absence of nonce checks allows these requests to be processed as if they were legitimate, leading to the unauthorized deletion of the targeted records.

Remediation

No known patch is available. Users are advised to uninstall the affected plugin and seek a replacement.