CVE-2026-4002 Overview
The Petje.af plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 2.1.8. The vulnerability exists due to missing nonce validation in the ajax_revoke_token() function, which handles the petjeaf_disconnect AJAX action. This function performs destructive operations including revoking OAuth2 tokens, deleting user meta, and deleting WordPress user accounts for users with the petjeaf_member role without verifying that the request originated from a legitimate source.
Critical Impact
Unauthenticated attackers can force authenticated users to delete their Petje.af member user accounts via a forged request if the victim clicks on a malicious link or visits a compromised website.
Affected Products
- Petje.af WordPress Plugin versions up to and including 2.1.8
- WordPress installations with vulnerable Petje.af plugin enabled
- User accounts with the petjeaf_member role
Discovery Timeline
- April 15, 2026 - CVE-2026-4002 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2026-4002
Vulnerability Analysis
This CSRF vulnerability stems from insufficient security controls in the OAuth2 provider implementation of the Petje.af plugin. The ajax_revoke_token() function processes the petjeaf_disconnect AJAX action without implementing WordPress nonce verification, which is the standard mechanism for validating that form submissions and AJAX requests originate from the intended source.
When a victim who is authenticated to WordPress visits a malicious page or clicks a crafted link, the attacker-controlled page can automatically submit a request to the vulnerable endpoint. The server processes this request as legitimate because it lacks the capability to distinguish between authentic user actions and forged cross-origin requests.
The impact is particularly concerning because the function performs multiple destructive operations: it revokes OAuth2 tokens, deletes associated user metadata, and can completely remove WordPress user accounts that have the petjeaf_member role. This could result in permanent data loss and service disruption for affected users.
Root Cause
The root cause of this vulnerability is the absence of nonce validation in the ajax_revoke_token() function within the class-petje-af-oauth2-provider.php file. WordPress provides the wp_verify_nonce() function specifically to prevent CSRF attacks by validating that requests include a cryptographically secure token that attackers cannot predict or forge. The vulnerable code path at line 326 of the OAuth2 provider class fails to implement this validation before executing destructive operations.
Attack Vector
The attack is conducted over the network and requires user interaction—specifically, the victim must click a link or visit a malicious website while authenticated to the WordPress site. The attacker crafts an HTML page containing a form or JavaScript that automatically submits a request to the vulnerable AJAX endpoint. Because the endpoint lacks CSRF protection, the browser sends the request with the victim's authentication cookies, and the server processes it as a legitimate user action.
The attack flow involves the attacker preparing a malicious webpage, distributing it to potential victims through phishing or other social engineering techniques, and waiting for an authenticated WordPress user with access to the Petje.af plugin to visit the page. Upon visiting, the malicious request is automatically executed, resulting in token revocation and potential account deletion.
Detection Methods for CVE-2026-4002
Indicators of Compromise
- Unexpected user account deletions for accounts with the petjeaf_member role
- OAuth2 tokens being revoked without user initiation
- Suspicious AJAX requests to the petjeaf_disconnect action from external referrers
- User reports of being logged out or losing access to Petje.af integration
Detection Strategies
- Monitor WordPress AJAX logs for unusual patterns of petjeaf_disconnect action requests
- Implement referrer checking at the web application firewall level for sensitive AJAX endpoints
- Review server access logs for requests to admin-ajax.php with the petjeaf_disconnect action originating from external sites
- Set up alerts for bulk or rapid user meta deletion events
Monitoring Recommendations
- Enable detailed WordPress audit logging to track user account modifications and deletions
- Configure web application firewall rules to flag cross-origin requests to sensitive WordPress AJAX endpoints
- Implement user notification mechanisms when OAuth2 tokens are revoked or accounts are modified
- Regularly audit user accounts with the petjeaf_member role for unexpected changes
How to Mitigate CVE-2026-4002
Immediate Actions Required
- Update the Petje.af plugin to the latest version that includes CSRF protection
- Review recent user account activity for signs of exploitation
- Temporarily disable the Petje.af plugin if an update is not available
- Implement web application firewall rules to block suspicious requests to the vulnerable endpoint
Patch Information
Organizations using the Petje.af WordPress plugin should check for updates through the WordPress plugin repository. The vulnerability affects all versions up to and including 2.1.8. Review the Wordfence Vulnerability Report for the latest patch information and remediation guidance. Additionally, the vulnerable code can be examined at the WordPress Plugin OAuth2 Provider Code for reference.
Workarounds
- Implement additional authentication requirements for the petjeaf_disconnect AJAX action at the server level
- Use a web application firewall to enforce referrer validation for requests to admin-ajax.php
- Restrict access to the plugin's administrative functions to trusted IP addresses
- Consider temporarily removing the plugin until an official patch is available
# Example: Block suspicious AJAX requests via .htaccess (Apache)
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} admin-ajax\.php
RewriteCond %{QUERY_STRING} action=petjeaf_disconnect
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com [NC]
RewriteRule ^ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
