CVE-2026-4283
Published: 24 March 2026
Description
The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the…
more
intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations on the super-unsubscribe AJAX action to block unauthenticated access and prevent account destruction.
AC-2 establishes account management processes to protect non-administrator user accounts from unauthorized irreversible modifications like password randomization, role stripping, and metadata wiping.
AC-6 least privilege ensures unauthenticated users cannot access destructive functions like super-unsubscribe that bypass email confirmation and anonymize accounts.
Security SummaryAI
CVE-2026-4283 affects the WP DSGVO Tools (GDPR) plugin for WordPress in all versions up to and including 3.1.38. The vulnerability enables unauthorized account destruction due to the `super-unsubscribe` AJAX action, which accepts a `process_now` parameter from unauthenticated users. This bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization, stemming from a missing authorization check akin to CWE-862 (Missing Authorization).
Unauthenticated attackers can exploit this by submitting a victim's email address along with `process_now=1` via the AJAX endpoint. The required nonce is publicly available on any page containing the `[unsubscribe_form]` shortcode, making exploitation straightforward over the network with low complexity and no privileges needed. Successful attacks permanently destroy non-administrator user accounts by randomizing passwords, overwriting usernames and emails, stripping roles, anonymizing comments, and wiping sensitive usermeta, earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
References provided by the CVE point to specific vulnerable code locations in the plugin's source, including lines in `class-sp-dsgvo-ajax-action.php` (L69), `class-sp-dsgvo-data-collecter.php` (L250), `unsubscriber.php` (L24), and `unsubscribe-form-action.php` (L39) across tags/3.1.38 and trunk branches on the WordPress plugin trac repository. No explicit patch or mitigation details are detailed in the provided information.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated exploitation of a public-facing WordPress plugin (T1190) to remove account access by destroying user accounts (T1531) and manipulate stored user data such as usernames, emails, and metadata (T1565.001).