Plattform
wordpress
Komponente
petje-af
Behoben in
2.1.9
2.1.9
A security vulnerability has been identified in OpenClaw, specifically within its Gemini OAuth flow. This issue arises from the reuse of the PKCE verifier as the OAuth state value, which is then reflected back in the redirect URL. Successful exploitation could allow an attacker to capture both the authorization code and the PKCE verifier, potentially enabling unauthorized token redemption. The vulnerability affects versions of OpenClaw prior to 2026.4.2, and a patch is available in version 2026.4.2.
The Cross-Site Request Forgery (CSRF) vulnerability in the Petje.af plugin for WordPress, affecting all versions up to and including 2.1.8, poses a significant security risk. The flaw lies in the missing nonce validation within the ajaxrevoketoken() function, which handles the petjeafdisconnect AJAX action. This function performs destructive operations, including revoking OAuth2 tokens, deleting user meta, and deleting WordPress user accounts (for users with the 'petjeafmember' role) without verifying the request's origin. An attacker could trick an authenticated user into performing these actions without their knowledge, potentially compromising the website's integrity and user data. The severity stems from the possibility of unauthorized access and manipulation of sensitive data, including complete user deletion.
An attacker could exploit this vulnerability by sending a malicious HTTP request to an authenticated user on a website using the vulnerable Petje.af plugin. This request could be disguised as a legitimate action, such as clicking a link or visiting a webpage. If the user is authenticated, their authentication cookies will be included in the request, allowing the attacker to trick the server into executing the malicious action. For example, an attacker could create a malicious webpage containing a hidden form that submits a request to revoke an OAuth2 token for a user, effectively removing their access to Petje.af services. Deleting users with the 'petjeaf_member' role is particularly concerning, as it could lead to data loss and service disruption.
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The immediate solution is to update the Petje.af plugin to the latest available version, which should include the CSRF vulnerability fix. In the meantime, implementing additional security measures is recommended. This includes enabling a WordPress security plugin that offers CSRF protection. Educating users about phishing and social engineering risks is also crucial, as these techniques can be used to deceive them into performing malicious actions. Monitoring server logs for suspicious activity can help detect and respond to potential attacks. Consider implementing a Web Application Firewall (WAF) for an additional layer of protection.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerabilität eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CSRF (Cross-Site Request Forgery) is a type of attack where an attacker tricks an authenticated user into performing unwanted actions on a web application.
If you are using the Petje.af plugin in a version prior to 2.1.8, your website is vulnerable. Perform an immediate update.
Immediately change all user passwords, review server logs for suspicious activity, and consider restoring from a clean backup.
Several web security scanning tools can help you detect CSRF vulnerabilities, both free and paid.
A nonce is a unique number used to prevent CSRF attacks. It is generated on the server and included in HTTP requests. The server verifies the nonce to ensure the request originates from a legitimate source.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.