Vulnerability Description
The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function which handles the 'petjeaf_disconnect' AJAX action. The function performs destructive operations including revoking OAuth2 tokens, deleting user meta, and deleting WordPress user accounts (for users with the 'petjeaf_member' role) without verifying the request originated from a legitimate source. This makes it possible for unauthenticated attackers to force authenticated users to delete their Petje.af member user accounts via a forged request granted the victim clicks on a link or visits a malicious site.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/petje-af/tags/2.1.8/includes/class-pe
- https://plugins.trac.wordpress.org/browser/petje-af/tags/2.1.8/includes/class-pe
- https://plugins.trac.wordpress.org/browser/petje-af/tags/2.1.8/includes/class-pe
- https://plugins.trac.wordpress.org/browser/petje-af/trunk/includes/class-petje-a
- https://plugins.trac.wordpress.org/browser/petje-af/trunk/includes/class-petje-a
- https://plugins.trac.wordpress.org/browser/petje-af/trunk/includes/class-petje-a
- https://www.wordfence.com/threat-intel/vulnerabilities/id/28a071ac-37ee-4fb9-b8c
FAQ
What is CVE-2026-4002?
CVE-2026-4002 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function whi...
How severe is CVE-2026-4002?
CVE-2026-4002 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-4002?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.