平台
wordpress
组件
petje-af
修复版本
2.1.9
2.1.9
A security vulnerability has been identified in OpenClaw, specifically within its Gemini OAuth flow. This issue arises from the reuse of the PKCE verifier as the OAuth state value, which is then reflected back in the redirect URL. Successful exploitation could allow an attacker to capture both the authorization code and the PKCE verifier, potentially enabling unauthorized token redemption. The vulnerability affects versions of OpenClaw prior to 2026.4.2, and a patch is available in version 2026.4.2.
The Cross-Site Request Forgery (CSRF) vulnerability in the Petje.af plugin for WordPress, affecting all versions up to and including 2.1.8, poses a significant security risk. The flaw lies in the missing nonce validation within the ajaxrevoketoken() function, which handles the petjeafdisconnect AJAX action. This function performs destructive operations, including revoking OAuth2 tokens, deleting user meta, and deleting WordPress user accounts (for users with the 'petjeafmember' role) without verifying the request's origin. An attacker could trick an authenticated user into performing these actions without their knowledge, potentially compromising the website's integrity and user data. The severity stems from the possibility of unauthorized access and manipulation of sensitive data, including complete user deletion.
An attacker could exploit this vulnerability by sending a malicious HTTP request to an authenticated user on a website using the vulnerable Petje.af plugin. This request could be disguised as a legitimate action, such as clicking a link or visiting a webpage. If the user is authenticated, their authentication cookies will be included in the request, allowing the attacker to trick the server into executing the malicious action. For example, an attacker could create a malicious webpage containing a hidden form that submits a request to revoke an OAuth2 token for a user, effectively removing their access to Petje.af services. Deleting users with the 'petjeaf_member' role is particularly concerning, as it could lead to data loss and service disruption.
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
CVSS 向量
The immediate solution is to update the Petje.af plugin to the latest available version, which should include the CSRF vulnerability fix. In the meantime, implementing additional security measures is recommended. This includes enabling a WordPress security plugin that offers CSRF protection. Educating users about phishing and social engineering risks is also crucial, as these techniques can be used to deceive them into performing malicious actions. Monitoring server logs for suspicious activity can help detect and respond to potential attacks. Consider implementing a Web Application Firewall (WAF) for an additional layer of protection.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CSRF (Cross-Site Request Forgery) is a type of attack where an attacker tricks an authenticated user into performing unwanted actions on a web application.
If you are using the Petje.af plugin in a version prior to 2.1.8, your website is vulnerable. Perform an immediate update.
Immediately change all user passwords, review server logs for suspicious activity, and consider restoring from a clean backup.
Several web security scanning tools can help you detect CSRF vulnerabilities, both free and paid.
A nonce is a unique number used to prevent CSRF attacks. It is generated on the server and included in HTTP requests. The server verifies the nonce to ensure the request originates from a legitimate source.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。