What the vulnerability does
01Description
The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.
Explanation of Vulnerability in Simple Terms
02Summary
WP DSGVO Tools versions 3.1.38 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify or delete site data without permission. The vulnerability affects the plugin's core functionality and requires no user interaction. Site administrators should update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Modify or delete site data without logging in or having any account.
Potential impact on your site
04Site Impact
Attackers can alter or remove critical GDPR compliance data and site content without restriction.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 24, 2026
CVE published
April 8, 2026
Record updated