CVE-2026-4283 - Vulnerability Details

- WP DSGVO Tools (GDPR) <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users

Description

The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.

Published: 2026-03-24

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WP DSGVO Tools (GDPR) plugin allows an unauthenticated user to trigger the super-unsubscribe AJAX action with the process_now parameter, bypassing the intended email confirmation. This action immediately anonymizes and deletes any non-administrator user account, overwriting usernames, emails, roles, and usermeta, and removing associated comments. The result is an irreversible loss of user data and disruption of legitimate user access without any prior authorization.

Affected Systems

Customers running the WP DSGVO Tools (GDPR) WordPress plugin from vendor legalweb, in any version up to and including 3.1.38, are affected. The vulnerability exists in all earlier releases of the plugin as well.

Risk and Exploitability

The CVSS base score of 9.1 marks this as critical, and while the EPSS score is not available, the lack of authentication requirement and the public availability of the nonce on any page featuring the unsubscribe shortcode make exploitation trivially achievable through a simple HTTP request. The vulnerability is not listed in the CISA KEV catalog, but the potential for mass account deletions poses a significant business risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

legalweb

WP DSGVO Tools (GDPR)

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.1.38

No data.

Vendor Product Confidence Versions

Legalweb

Wp Dsgvo Tools

88%

Version	Status	Scheme	Platform
`[0,3.1.38]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the WP DSGVO Tools (GDPR) plugin to version 3.1.39 or later to remove the vulnerable super-unsubscribe action.
If an immediate update is not possible, temporarily remove or disable pages that use the [unsubscribe_form] shortcode to block public nonce exposure.
Consider disabling the super-unsubscribe AJAX endpoint or restricting it to authenticated users via custom code or a WordPress security plugin.
Audit user roles to ensure that sensitive accounts are protected and consider implementing additional role‑based restrictions around the plugin functionality.

Generated by OpenCVE AI on March 24, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00135.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/class-sp-dsgvo-ajax-action.php#L69
https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/class-sp-dsgvo-data-collecter.php#L250
https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/models/unsubscriber.php#L24
https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php#L39
https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/trunk/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php#L39
https://plugins.trac.wordpress.org/changeset?old_path=/shapepress-dsgvo/tags/3.1.38&new_path=/shapepress-dsgvo/tags/3.1.39
https://www.wordfence.com/threat-intel/vulnerabilities/id/21389122-cb39-45d1-a889-b830d3a55603?source=cve

History

Tue, 24 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Legalweb Legalweb wp Dsgvo Tools Wordpress Wordpress wordpress
Vendors & Products		Legalweb Legalweb wp Dsgvo Tools Wordpress Wordpress wordpress

Tue, 24 Mar 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.
Title		WP DSGVO Tools (GDPR) <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/class-sp-dsgvo-ajax-action.php#L69 https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/class-sp-dsgvo-data-collecter.php#L250 https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/models/unsubscriber.php#L24 https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php#L39 https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/trunk/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php#L39 https://plugins.trac.wordpress.org/changeset?old_path=/shapepress-dsgvo/tags/3.1.38&new_path=/shapepress-dsgvo/tags/3.1.39 https://www.wordfence.com/threat-intel/vulnerabilities/id/21389122-cb39-45d1-a889-b830d3a55603?source=cve
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}`

Subscriptions

Legalweb Wp Dsgvo Tools

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-24T04:27:50.054Z

Updated: 2026-04-08T16:41:24.691Z

Reserved: 2026-03-16T16:17:14.969Z

Link: CVE-2026-4283

Vulnrichment

Updated: 2026-03-24T13:18:44.624Z

NVD

Status : Deferred

Published: 2026-03-24T05:16:24.343

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4283

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:40:06Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object