Skip to main content

Wp Dsgvo Tools Gdpr

2 CVEs product

Monthly

CVE-2026-11869 MEDIUM POC PATCH This Month

Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 allows any remote attacker to download the full GDPR personal data export of any user, customer, or commenter by supplying only their email address. The plugin's data subject access request (DSAR) immediate-processing path omits an authorization check, converting a legally mandated privacy feature into a privacy breach vector. A publicly available POC exploit exists, SSVC confirms the attack is automatable, and a vendor patch has been released at version 3.1.40.

WordPress Information Disclosure Wp Dsgvo Tools Gdpr
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-10034 MEDIUM This Month

Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) plugin for WordPress (≤3.1.39) allows any remote attacker to trigger immediate Subject Access Request (SAR) fulfillment for an arbitrary victim email, receiving tokenized download links in the HTTP response that expose WordPress account details, comment history, email addresses, and IP addresses. The plugin's CSRF nonce - the only gate protecting this action - is publicly rendered by the SAR shortcode form and shared across all anonymous visitors, rendering it entirely ineffective as an access control mechanism. No active exploitation is confirmed (not in CISA KEV) and no public POC is confirmed at time of analysis, though the Wordfence advisory includes direct source code references identifying the exact vulnerable code paths.

CSRF Authentication Bypass WordPress Wp Dsgvo Tools Gdpr
NVD VulDB
CVSS 3.1
5.3
EPSS
0.4%
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 allows any remote attacker to download the full GDPR personal data export of any user, customer, or commenter by supplying only their email address. The plugin's data subject access request (DSAR) immediate-processing path omits an authorization check, converting a legally mandated privacy feature into a privacy breach vector. A publicly available POC exploit exists, SSVC confirms the attack is automatable, and a vendor patch has been released at version 3.1.40.

WordPress Information Disclosure Wp Dsgvo Tools Gdpr
NVD WPScan
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) plugin for WordPress (≤3.1.39) allows any remote attacker to trigger immediate Subject Access Request (SAR) fulfillment for an arbitrary victim email, receiving tokenized download links in the HTTP response that expose WordPress account details, comment history, email addresses, and IP addresses. The plugin's CSRF nonce - the only gate protecting this action - is publicly rendered by the SAR shortcode form and shared across all anonymous visitors, rendering it entirely ineffective as an access control mechanism. No active exploitation is confirmed (not in CISA KEV) and no public POC is confirmed at time of analysis, though the Wordfence advisory includes direct source code references identifying the exact vulnerable code paths.

CSRF Authentication Bypass WordPress +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy