Platform
wordpress
Component
petje-af
Fixed in
2.1.9
2.1.9
A security vulnerability has been identified in OpenClaw, specifically within its Gemini OAuth flow. This issue arises from the reuse of the PKCE verifier as the OAuth state value, which is then reflected back in the redirect URL. Successful exploitation could allow an attacker to capture both the authorization code and the PKCE verifier, potentially enabling unauthorized token redemption. The vulnerability affects versions of OpenClaw prior to 2026.4.2, and a patch is available in version 2026.4.2.
The Cross-Site Request Forgery (CSRF) vulnerability in the Petje.af plugin for WordPress, affecting all versions up to and including 2.1.8, poses a significant security risk. The flaw lies in the missing nonce validation within the ajaxrevoketoken() function, which handles the petjeafdisconnect AJAX action. This function performs destructive operations, including revoking OAuth2 tokens, deleting user meta, and deleting WordPress user accounts (for users with the 'petjeafmember' role) without verifying the request's origin. An attacker could trick an authenticated user into performing these actions without their knowledge, potentially compromising the website's integrity and user data. The severity stems from the possibility of unauthorized access and manipulation of sensitive data, including complete user deletion.
An attacker could exploit this vulnerability by sending a malicious HTTP request to an authenticated user on a website using the vulnerable Petje.af plugin. This request could be disguised as a legitimate action, such as clicking a link or visiting a webpage. If the user is authenticated, their authentication cookies will be included in the request, allowing the attacker to trick the server into executing the malicious action. For example, an attacker could create a malicious webpage containing a hidden form that submits a request to revoke an OAuth2 token for a user, effectively removing their access to Petje.af services. Deleting users with the 'petjeaf_member' role is particularly concerning, as it could lead to data loss and service disruption.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The immediate solution is to update the Petje.af plugin to the latest available version, which should include the CSRF vulnerability fix. In the meantime, implementing additional security measures is recommended. This includes enabling a WordPress security plugin that offers CSRF protection. Educating users about phishing and social engineering risks is also crucial, as these techniques can be used to deceive them into performing malicious actions. Monitoring server logs for suspicious activity can help detect and respond to potential attacks. Consider implementing a Web Application Firewall (WAF) for an additional layer of protection.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CSRF (Cross-Site Request Forgery) is a type of attack where an attacker tricks an authenticated user into performing unwanted actions on a web application.
If you are using the Petje.af plugin in a version prior to 2.1.8, your website is vulnerable. Perform an immediate update.
Immediately change all user passwords, review server logs for suspicious activity, and consider restoring from a clean backup.
Several web security scanning tools can help you detect CSRF vulnerabilities, both free and paid.
A nonce is a unique number used to prevent CSRF attacks. It is generated on the server and included in HTTP requests. The server verifies the nonce to ensure the request originates from a legitimate source.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.