CVE-2026-4002
Received Received - Intake
CSRF in Petje.af Plugin Allows OAuth2 Token and Account Deletion

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: Wordfence

Description
The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function which handles the 'petjeaf_disconnect' AJAX action. The function performs destructive operations including revoking OAuth2 tokens, deleting user meta, and deleting WordPress user accounts (for users with the 'petjeaf_member' role) without verifying the request originated from a legitimate source. This makes it possible for unauthenticated attackers to force authenticated users to delete their Petje.af member user accounts via a forged request granted the victim clicks on a link or visits a malicious site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4002
EUVD
EUVD-2026-22867
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
petjeaf petje_af_plugin to 2.1.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Petje.af plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 2.1.8. This occurs because the ajax_revoke_token() function, which handles the 'petjeaf_disconnect' AJAX action, does not validate a security nonce to confirm the request's legitimacy.

As a result, attackers can trick authenticated users into performing destructive actions such as revoking OAuth2 tokens, deleting user metadata, and deleting WordPress user accounts with the 'petjeaf_member' role by making them click on a malicious link or visit a malicious website.

Impact Analysis

This vulnerability can lead to unauthorized deletion of user accounts and associated data for users with the 'petjeaf_member' role. An attacker can exploit this by forcing authenticated users to unknowingly revoke OAuth2 tokens, delete user metadata, and remove their WordPress user accounts.

The impact includes loss of user access, potential disruption of services relying on these accounts, and possible data loss related to user metadata.

Compliance Impact

The vulnerability allows unauthenticated attackers to force authenticated users to delete their Petje.af member user accounts via forged requests. This could lead to unauthorized account deletions and potential loss of user data integrity.

However, there is no specific information provided about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4002. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart