EUVD-2026-14735
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3Description
The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.
Analysis
The WP DSGVO Tools (GDPR) plugin for WordPress contains an authentication bypass vulnerability that allows unauthenticated attackers to permanently destroy any non-administrator user account. Attackers can trigger immediate and irreversible account anonymization (randomizing passwords, overwriting usernames/emails, stripping roles, anonymizing comments, and wiping sensitive metadata) by submitting a victim's email address with a publicly available nonce. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all WordPress installations using WP DSGVO Tools and assess user exposure; notify affected users of potential account compromise risk. Within 7 days: Disable the WP DSGVO Tools plugin entirely or implement aggressive WAF rules to block GDPR anonymization endpoints; engage plugin vendor for patch timeline and security updates. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today