WP DSGVO Tools (GDPR) Missing Authorization Vulnerability Allowing Unauthenticated Account Destruction of Non-Admin Users

Vulnerability

A vulnerability exists in the WP DSGVO Tools (GDPR) plugin for WordPress, affecting all versions through 3.1.38. The issue arises from the 'super-unsubscribe' AJAX action, which allows unauthenticated users to send a 'process_now' parameter. This bypasses the intended email confirmation process and immediately triggers irreversible account anonymization. As a result, unauthenticated attackers can permanently delete any non-administrator user account by submitting the victim's email address with 'process_now=1'. The request's nonce, which is typically required for such actions, is publicly accessible on any page that includes the '[unsubscribe_form]' shortcode.

Impact

Exploitation of this vulnerability leads to the permanent deletion of non-administrator user accounts. Affected accounts have their passwords randomized, usernames and emails overwritten, roles stripped, comments anonymized, and sensitive user metadata wiped.

Reproduction

To reproduce this vulnerability, send a request to the 'admin-ajax.php' file with the 'action' parameter set to 'super-unsubscribe', and include the 'process_now' parameter set to '1'. The victim's email address must also be included in the request. This can be done from any page that contains the '[unsubscribe_form]' shortcode, as the nonce required for the request is publicly available.

Remediation

Users are advised to update the WP DSGVO Tools (GDPR) plugin to version 3.1.39 or a newer patched version.

Added: Mar 24, 2026, 5:22 AM
Updated: Mar 24, 2026, 5:22 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
0.6
exploitability
8.9
remediation
7.7
relevance
3.0
threat
4.8
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.