cbcvebase.
CVE-2021-42359
published 2021-11-05

CVE-2021-42359: WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to…

PriorityP178critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.93%
89.1th percentile
WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question.

Affected

2 ranges
VendorProductVersion rangeFixed in
legalwebwp_dsgvo_tools<= 3.1.23
legalwebwp_dsgvo_tools3.1.23 – 3.1.23

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=admin-dismiss-unsubscribe&id={{post_id}}
path/wp-content/plugins/shapepress-dsgvo/
  • Repeated POST requests with action=admin-dismiss-unsubscribe and the same post ID indicate an attempt to permanently delete a post (first request trashes it, second permanently deletes it).
  • Presence of the path /wp-content/plugins/shapepress-dsgvo/ in HTTP responses confirms the vulnerable plugin is installed and can be used for passive fingerprinting.
  • Attacker reconnaissance step: unauthenticated GET to wp-json/wp/v2/posts or ?rest_route=/wp/v2/posts to enumerate post IDs before triggering deletion.
  • ·The vulnerability requires no authentication, no nonce, and no capability — any unauthenticated HTTP client can trigger post deletion, making network-level blocking of unauthenticated POSTs to admin-ajax.php with this action a viable mitigation.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.