Veröffentlicht am von ms-freelancer

CVE-2026-4002 – Petje.af <= 2.1.8 - Cross-Site Request Forgery to Account Deletion via 'petjeaf_disconnect' AJAX Action

CVE ID :CVE-2026-4002

Published : April 15, 2026, 8:28 a.m. | 1 hour, 29 minutes ago

Description :The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function which handles the ‚petjeaf_disconnect‘ AJAX action. The function performs destructive operations including revoking OAuth2 tokens, deleting user meta, and deleting WordPress user accounts (for users with the ‚petjeaf_member‘ role) without verifying the request originated from a legitimate source. This makes it possible for unauthenticated attackers to force authenticated users to delete their Petje.af member user accounts via a forged request granted the victim clicks on a link or visits a malicious site.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…