CVE-2026-4283
published 2026-03-24CVE-2026-4283: The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to…
PriorityP358critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
0.43%
34.5th percentile
The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| legalweb | wp_dsgvo_tools | <= 3.1.38 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/class-sp-dsgvo-ajax-action.php#L69https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/class-sp-dsgvo-data-collecter.php#L250https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/models/unsubscriber.php#L24https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php#L39https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/trunk/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php#L39https://plugins.trac.wordpress.org/changeset?old_path=/shapepress-dsgvo/tags/3.1.38&new_path=/shapepress-dsgvo/tags/3.1.39https://www.wordfence.com/threat-intel/vulnerabilities/id/21389122-cb39-45d1-a889-b830d3a55603?source=cve
2026-03-24
Published