EUVD-2026-22867CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function which handles the 'petjeaf_disconnect' AJAX action. The function performs destructive operations including revoking OAuth2 tokens, deleting user meta, and deleting WordPress user accounts (for users with the 'petjeaf_member' role) without verifying the request originated from a legitimate source. This makes it possible for unauthenticated attackers to force authenticated users to delete their Petje.af member user accounts via a forged request granted the victim clicks on a link or visits a malicious site.
AnalysisAI
Cross-site request forgery in Petje.af WordPress plugin versions up to 2.1.8 allows unauthenticated attackers to force authenticated users into destructive actions-including revoking OAuth2 tokens, deleting user metadata, and permanently removing WordPress user accounts with the 'petjeaf_member' role-by crafting malicious requests that bypass nonce validation in the ajax_revoke_token() AJAX handler. The vulnerability requires user interaction (victim must click a link or visit a malicious site) but carries moderate integrity impact due to the ability to delete user accounts.
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today