Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-reachable, low complexity, but PR:L required (Subscriber account); impact limited to integrity of plugin content only, no confidentiality or availability loss.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The DSGVO All in one for WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 4.9. This is due to the dsgvo_reset_policy_service_func() function lacking both capability checks and nonce verification while processing user-supplied parameters to reset plugin options. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset all customized privacy policy content including cookie notices, Google Analytics policies, Facebook policies, and YouTube policies to their default values.
AnalysisAI
Missing authorization in the DSGVO All in One for WP plugin (versions up to and including 4.9) allows any authenticated WordPress user with Subscriber-level access or higher to invoke the dsgvo_reset_policy_service_func() function and wipe all customized privacy policy content - cookie notices, Google Analytics policies, Facebook policies, and YouTube policies - back to plugin defaults. The root cause is a complete absence of both WordPress capability checks and nonce verification on a sensitive administrative function that accepts and acts on user-supplied parameters. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account with at minimum Subscriber-level access on the target site - unauthenticated exploitation is not possible per the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately reflects a moderate, bounded impact: the attack is remotely exploitable over the network with low complexity and requires only a low-privilege (Subscriber) account - no user interaction needed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers for or already possesses a Subscriber-level account on a target WordPress site running DSGVO All in One for WP version 4.9 or earlier. The attacker sends a crafted authenticated POST request directly to the WordPress AJAX or admin-post endpoint invoking dsgvo_reset_policy_service_func() - since no nonce or capability check is enforced, the function executes and resets all customized cookie consent banners and GDPR disclosure policies to plugin defaults, potentially removing legally required disclosures and rendering the site non-compliant with GDPR obligations. … |
| Remediation | An upstream fix has been committed to the WordPress plugin repository as changeset 3503821 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3503821%40dsgvo-all-in-one-for-wp&new=3503821%40dsgvo-all-in-one-for-wp); however, no specific patched release version number is independently confirmed from the available input data - administrators should check the plugin's WordPress.org page for a release newer than 4.9 that incorporates this changeset and update immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Dsgvo All In One For Wp
View allThe dsgvoaio_write_log AJAX action of the DSGVO All in one for WP WordPress plugin before 4.0 did not sanitise or escape
The DSGVO All in one for WP WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could a
The DSGVO All in one for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Michael Lei
Cross-Site Request Forgery (CSRF) vulnerability in Michael Leithold DSGVO All in one for WP.3. Rated medium severity (CV
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42562
GHSA-6h4r-gjpv-q3jc