CVE-2026-4283

Name of the Vulnerable Software and Affected Versions WP DSGVO Tools (GDPR) plugin for WordPress versions through 3.1.38

Description The WP DSGVO Tools (GDPR) plugin for WordPress is susceptible to unauthorized account destruction. The super-unsubscribe AJAX action allows unauthenticated users to bypass the email-confirmation process and immediately trigger irreversible account anonymization by submitting a victim's email address with the process now parameter set to 1. This results in password randomization, username/email overwriting, role stripping, comment anonymization, and the wiping of sensitive user metadata. The required nonce for the request is publicly available on any page containing the [unsubscribe form] shortcode. The vulnerable parameter is process now. The affected API endpoint is the super-unsubscribe AJAX action.

Recommendations Update to version 3.1.39 or later.