{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4002", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-11T18:44:40.867Z", "datePublished": "2026-04-15T08:28:14.102Z", "dateUpdated": "2026-04-15T15:50:38.937Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T08:28:14.102Z"}, "affected": [{"vendor": "petjeaf", "product": "Petje.af", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function which handles the 'petjeaf_disconnect' AJAX action. The function performs destructive operations including revoking OAuth2 tokens, deleting user meta, and deleting WordPress user accounts (for users with the 'petjeaf_member' role) without verifying the request originated from a legitimate source. This makes it possible for unauthenticated attackers to force authenticated users to delete their Petje.af member user accounts via a forged request granted the victim clicks on a link or visits a malicious site."}], "title": "Petje.af <= 2.1.8 - Cross-Site Request Forgery to Account Deletion via 'petjeaf_disconnect' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/28a071ac-37ee-4fb9-b8c6-0a782ee673b4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/petje-af/trunk/includes/class-petje-af-oauth2-provider.php#L346"}, {"url": "https://plugins.trac.wordpress.org/browser/petje-af/tags/2.1.8/includes/class-petje-af-oauth2-provider.php#L346"}, {"url": "https://plugins.trac.wordpress.org/browser/petje-af/trunk/includes/class-petje-af-oauth2-provider.php#L326"}, {"url": "https://plugins.trac.wordpress.org/browser/petje-af/tags/2.1.8/includes/class-petje-af-oauth2-provider.php#L326"}, {"url": "https://plugins.trac.wordpress.org/browser/petje-af/trunk/includes/class-petje-af.php#L182"}, {"url": "https://plugins.trac.wordpress.org/browser/petje-af/tags/2.1.8/includes/class-petje-af.php#L182"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2026-04-14T19:46:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T15:50:26.775104Z", "id": "CVE-2026-4002", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:50:38.937Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4002", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T15:50:26.775104Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:50:35.879Z"}}], "cna": {"title": "Petje.af <= 2.1.8 - Cross-Site Request Forgery to Account Deletion via 'petjeaf_disconnect' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "petjeaf", "product": "Petje.af", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-14T19:46:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/28a071ac-37ee-4fb9-b8c6-0a782ee673b4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/petje-af/trunk/includes/class-petje-af-oauth2-provider.php#L346"}, {"url": "https://plugins.trac.wordpress.org/browser/petje-af/tags/2.1.8/includes/class-petje-af-oauth2-provider.php#L346"}, {"url": "https://plugins.trac.wordpress.org/browser/petje-af/trunk/includes/class-petje-af-oauth2-provider.php#L326"}, {"url": "https://plugins.trac.wordpress.org/browser/petje-af/tags/2.1.8/includes/class-petje-af-oauth2-provider.php#L326"}, {"url": "https://plugins.trac.wordpress.org/browser/petje-af/trunk/includes/class-petje-af.php#L182"}, {"url": "https://plugins.trac.wordpress.org/browser/petje-af/tags/2.1.8/includes/class-petje-af.php#L182"}], "descriptions": [{"lang": "en", "value": "The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function which handles the 'petjeaf_disconnect' AJAX action. The function performs destructive operations including revoking OAuth2 tokens, deleting user meta, and deleting WordPress user accounts (for users with the 'petjeaf_member' role) without verifying the request originated from a legitimate source. This makes it possible for unauthenticated attackers to force authenticated users to delete their Petje.af member user accounts via a forged request granted the victim clicks on a link or visits a malicious site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T08:28:14.102Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4002", "state": "PUBLISHED", "dateUpdated": "2026-04-15T15:50:38.937Z", "dateReserved": "2026-03-11T18:44:40.867Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-15T08:28:14.102Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function which handles the 'petjeaf_disconnect' AJAX action. The function performs destructive operations including revoking OAuth2 tokens, deleting user meta, and deleting WordPress user accounts (for users with the 'petjeaf_member' role) without verifying the request originated from a legitimate source. This makes it possible for unauthenticated attackers to force authenticated users to delete their Petje.af member user accounts via a forged request granted the victim clicks on a link or visits a malicious site."}], "id": "CVE-2026-4002", "lastModified": "2026-04-15T09:16:32.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-15T09:16:32.547", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/petje-af/tags/2.1.8/includes/class-petje-af-oauth2-provider.php#L326"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/petje-af/tags/2.1.8/includes/class-petje-af-oauth2-provider.php#L346"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/petje-af/tags/2.1.8/includes/class-petje-af.php#L182"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/petje-af/trunk/includes/class-petje-af-oauth2-provider.php#L326"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/petje-af/trunk/includes/class-petje-af-oauth2-provider.php#L346"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/petje-af/trunk/includes/class-petje-af.php#L182"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/28a071ac-37ee-4fb9-b8c6-0a782ee673b4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Petje.af", "source": "cna", "vendor": "petjeaf"}, "product": "petje.af", "vendor": "petjeaf"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T10:26:13.131964+00:00", "value": {"mitigation_remediation": ["Update the Petje.af plugin to the latest released version where the CSRF validation has been added to the petjeaf_disconnect AJAX handler.", "If an update is not immediately available, disable or restrict the petjeaf_disconnect AJAX action for non\u2011admin users, ensuring only authorized accounts can invoke it.", "As a temporary workaround, manually modify the plugin\u2019s class-petje-af-oauth2-provider.php file to add a nonce check to the ajax_revoke_token() function before performing any destructive operations."], "summary": {"action": "Immediate Patch", "impact": "Destructive user account deletion via CSRF"}, "threat_synthesis": {"affected_systems": "All versions of Petje.af up to and including 2.1.8 are impacted. The affected product is the Petje.af WordPress plugin, as listed by its CNA vendor \"petjeaf\". Users running any of these versions should verify whether they are within this version range.", "description_and_impact": "The Petje.af plugin for WordPress is vulnerable to a Cross\u2011Site Request Forgery flaw that allows an attacker to trigger the 'petjeaf_disconnect' AJAX action without any nonce verification. This action performs critical operations such as revoking OAuth2 tokens, deleting user meta, and permanently removing WordPress user accounts that have the 'petjeaf_member' role. Consequently, an attacker who can convince an authenticated user to load a malicious page can cause that user to lose their Petje.af member account and associated data. The weakness is classified as CWE\u2011352.", "risk_and_exploitability": "The CVSS score is 4.3, indicating a medium severity level. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting that known exploitation cases are limited or not yet reported. Attackers would need the victim to click a crafted link or visit a malicious site, which provides a reasonably low barrier to exploitation for socially engineered users. The risk is mitigated only by preventing the CSRF request from being accepted, which requires a patch or configuration change from the vendor."}}}}, "created": "2026-04-15T13:49:14.864222+00:00", "updated": "2026-04-15T14:53:22.785972+00:00", "vendors": ["petjeaf", "petjeaf$PRODUCT$petje.af", "wordpress", "wordpress$PRODUCT$wordpress"]}