Skip to main content

WP DSGVO Tools EUVDEUVD-2026-42509

| CVE-2026-11869 MEDIUM
2026-07-09 WPScan GHSA-m267-7fgq-g6v7
5.3
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable with no privileges or interaction; confidentiality impact rated Low per-request despite automation potential enabling bulk PII harvest.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 09, 2026 - 17:15 vuln.today
CVSS changed
Jul 09, 2026 - 16:22 NVD
5.3 (None) 5.3 (MEDIUM)
Patch available
Jul 09, 2026 - 08:01 EUVD
CVE Published
Jul 09, 2026 - 06:00 cve.org
MEDIUM 5.3
CVE Published
Jul 09, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export (including name, postal address, phone number, email, and comment content) of any user, customer, or commenter by supplying their email address.

AnalysisAI

Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 allows any remote attacker to download the full GDPR personal data export of any user, customer, or commenter by supplying only their email address. The plugin's data subject access request (DSAR) immediate-processing path omits an authorization check, converting a legally mandated privacy feature into a privacy breach vector. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate victim email addresses from site comments or external sources
Delivery
Submit unauthenticated POST to plugin DSAR immediate-processing endpoint
Exploit
Plugin omits authorization check and processes request
Execution
Full personal data export generated for matched account
Impact
Attacker downloads PII export (name, address, phone, email, comments)

Vulnerability AssessmentAI

Exploitation The WP DSGVO Tools (GDPR) plugin must be installed and active, and its DSAR immediate-processing path must be reachable (the default operational state). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor and NVD CVSS score of 5.3 Medium (C:L) technically captures per-request confidentiality loss but understates practical impact: because the attack is automatable (confirmed by SSVC) and requires only email address enumeration, an adversary can systematically harvest PII - names, postal addresses, phone numbers, emails, comment histories - for an entire site's user base in bulk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker collects email addresses from the target WordPress site via user enumeration, public comment sections, or previously leaked datasets, then submits each address to the plugin's DSAR immediate-processing endpoint without authentication. The plugin generates and returns a structured personal data export - containing full name, postal address, phone number, email, and comment content - for each matched account. …
Remediation Update the WP DSGVO Tools (GDPR) plugin to version 3.1.40 or later, which contains the vendor-released authorization fix on the DSAR immediate-processing path. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42509 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy