CVE-2026-4283 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: March 24, 2026
WP DSGVO Tools (GDPR) - Broken Access Control
Overview
WP DSGVO Tools (GDPR) WordPress plugin <= 3.1.38 contains an unauthorized account destruction vulnerability caused by the 'super-unsubscribe' AJAX action accepting 'process_now' parameter from unauthenticated users, letting attackers permanently anonymize non-admin user accounts, exploit requires access to nonce from pages with [unsubscribe_form] shortcode.
Severity & Score
Impact
Unauthenticated attackers can permanently destroy non-administrator user accounts, causing irreversible data loss and user disruption.
Mitigation
Update to a version later than 3.1.38 or the latest available version.
References
- https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/models/unsubscriber.php#L24
- https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php#L39
- https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/trunk/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php#L39
- https://plugins.trac.wordpress.org/changeset?old_path=/shapepress-dsgvo/tags/3.1.38&new_path=/shapepress-dsgvo/tags/3.1.39
- https://www.wordfence.com/threat-intel/vulnerabilities/id/21389122-cb39-45d1-a889-b830d3a55603?source=cve
- https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/class-sp-dsgvo-ajax-action.php#L69
- https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/class-sp-dsgvo-data-collecter.php#L250
Social Media Activity(2 posts)
šØ CRITICAL: CVE-2026-4283 in WP DSGVO Tools (GDPR) plugin allows unauthenticated attackers to irreversibly destroy non-admin accounts via 'super-unsubscribe' AJAX. All versions ā¤3.1.38 affected. Remove '[unsubscribe_form]' & monitor for abuse. https://radar.offseq.com/threat/cve-2026-4283-cwe-862-missing-authorization-in-leg-b0b3a8d9 #OffSeq #WordPress #Infosec
View original post
š“ CVE-2026-4283 - Critical (9.1) The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthentica... š https://www.thehackerwire.com/vulnerability/CVE-2026-4283/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-4283
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_access_control
- Status
- unconfirmed
- EPSS
- 10.3%
- Social Posts
- 2
CWE
- CWE-862
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H