CVE-2026-4283 CRITICAL

CVE-2026-4283: WP DSGVO Tools (GDPR) <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users

Vendor Legalweb
Product WP DSGVO Tools (GDPR)
Weakness CWE-862 · Missing authorization
Published March 24, 2026
Last update April 8, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.

Explanation of Vulnerability in Simple Terms

02Summary

WP DSGVO Tools versions 3.1.38 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify or delete site data without permission. The vulnerability affects the plugin's core functionality and requires no user interaction. Site administrators should update immediately to a patched version.

What an attacker can do

03Attacker Capabilities

Modify or delete site data without logging in or having any account.

Potential impact on your site

04Site Impact

Attackers can alter or remove critical GDPR compliance data and site content without restriction.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 24, 2026 CVE published
April 8, 2026 Record updated