Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-reachable with no privileges or interaction; confidentiality impact rated Low per-request despite automation potential enabling bulk PII harvest.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
The WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export (including name, postal address, phone number, email, and comment content) of any user, customer, or commenter by supplying their email address.
AnalysisAI
Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 allows any remote attacker to download the full GDPR personal data export of any user, customer, or commenter by supplying only their email address. The plugin's data subject access request (DSAR) immediate-processing path omits an authorization check, converting a legally mandated privacy feature into a privacy breach vector. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The WP DSGVO Tools (GDPR) plugin must be installed and active, and its DSAR immediate-processing path must be reachable (the default operational state). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor and NVD CVSS score of 5.3 Medium (C:L) technically captures per-request confidentiality loss but understates practical impact: because the attack is automatable (confirmed by SSVC) and requires only email address enumeration, an adversary can systematically harvest PII - names, postal addresses, phone numbers, emails, comment histories - for an entire site's user base in bulk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker collects email addresses from the target WordPress site via user enumeration, public comment sections, or previously leaked datasets, then submits each address to the plugin's DSAR immediate-processing endpoint without authentication. The plugin generates and returns a structured personal data export - containing full name, postal address, phone number, email, and comment content - for each matched account. … |
| Remediation | Update the WP DSGVO Tools (GDPR) plugin to version 3.1.40 or later, which contains the vendor-released authorization fix on the DSAR immediate-processing path. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wp Dsgvo Tools Gdpr
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42509
GHSA-m267-7fgq-g6v7