CVE-2021-42359

Name of the Vulnerable Software and Affected Versions WP DSGVO Tools (GDPR) versions <= 3.1.23

Description The issue allows an attacker to permanently delete an arbitrary post or page on a site by sending an AJAX request with the "action" parameter set to "admin-dismiss-unsubscribe" and the "id" parameter set to the post to be deleted. This is possible due to the lack of a capability check and a nonce check in the 'admin-dismiss-unsubscribe' AJAX action, making it accessible to unauthenticated users. The post type is also not checked when deleting unsubscription requests, further facilitating the attack. Sending such a request would initially move the post to the trash, and repeating the request would result in the permanent deletion of the post.

Recommendations For WP DSGVO Tools (GDPR) versions <= 3.1.23, update to a version greater than 3.1.23 to resolve the issue. As a temporary workaround, consider disabling the 'admin-dismiss-unsubscribe' AJAX action until a patch is available. Restrict access to the AJAX endpoint to minimize the risk of exploitation. Avoid using the id parameter in the affected AJAX request until the issue is resolved.