Skip to main content

DSGVO All in One CVE-2026-4298

| EUVDEUVD-2026-42562 MEDIUM
Missing Authorization (CWE-862)
2026-07-09 Wordfence GHSA-6h4r-gjpv-q3jc
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable, low complexity, but PR:L required (Subscriber account); impact limited to integrity of plugin content only, no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 12:10 vuln.today
CVE Published
Jul 09, 2026 - 09:31 nvd
MEDIUM 4.3

DescriptionCVE.org

The DSGVO All in one for WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 4.9. This is due to the dsgvo_reset_policy_service_func() function lacking both capability checks and nonce verification while processing user-supplied parameters to reset plugin options. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset all customized privacy policy content including cookie notices, Google Analytics policies, Facebook policies, and YouTube policies to their default values.

AnalysisAI

Missing authorization in the DSGVO All in One for WP plugin (versions up to and including 4.9) allows any authenticated WordPress user with Subscriber-level access or higher to invoke the dsgvo_reset_policy_service_func() function and wipe all customized privacy policy content - cookie notices, Google Analytics policies, Facebook policies, and YouTube policies - back to plugin defaults. The root cause is a complete absence of both WordPress capability checks and nonce verification on a sensitive administrative function that accepts and acts on user-supplied parameters. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress Subscriber account
Delivery
Send authenticated POST to reset endpoint
Exploit
Trigger dsgvo_reset_policy_service_func() without capability check
Execution
All GDPR policy content reset to defaults
Impact
Site loses legally required privacy disclosures

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account with at minimum Subscriber-level access on the target site - unauthenticated exploitation is not possible per the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately reflects a moderate, bounded impact: the attack is remotely exploitable over the network with low complexity and requires only a low-privilege (Subscriber) account - no user interaction needed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers for or already possesses a Subscriber-level account on a target WordPress site running DSGVO All in One for WP version 4.9 or earlier. The attacker sends a crafted authenticated POST request directly to the WordPress AJAX or admin-post endpoint invoking dsgvo_reset_policy_service_func() - since no nonce or capability check is enforced, the function executes and resets all customized cookie consent banners and GDPR disclosure policies to plugin defaults, potentially removing legally required disclosures and rendering the site non-compliant with GDPR obligations. …
Remediation An upstream fix has been committed to the WordPress plugin repository as changeset 3503821 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3503821%40dsgvo-all-in-one-for-wp&new=3503821%40dsgvo-all-in-one-for-wp); however, no specific patched release version number is independently confirmed from the available input data - administrators should check the plugin's WordPress.org page for a release newer than 4.9 that incorporates this changeset and update immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-4298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy