Unauthenticated account destruction fixed in WP DSGVO Tools

TL;DR — An unauthenticated attacker can permanently anonymize (effectively destroy) non-admin WordPress user accounts in WP DSGVO Tools (GDPR) by abusing an AJAX parameter that skips the confirmation flow.

What happened

WP DSGVO Tools (GDPR) is a WordPress plugin that helps site operators implement GDPR-related features such as user data handling and unsubscribe/anonymization workflows.

Wordfence reports CVE-2026-4283 as a critical (CVSS 9.1) missing-authorization issue where the super-unsubscribe AJAX action accepts a process_now parameter from unauthenticated users, bypassing the intended email-confirmation flow and immediately triggering irreversible account anonymization. Per the advisory, an attacker can submit a victim’s email address with process_now=1 to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, and sensitive usermeta wiped). The nonce required for the request is described as publicly available on any page containing the [unsubscribe_form] shortcode.

This is operationally high-impact because it’s (1) unauthenticated, (2) remote, and (3) destructive rather than merely read-only — it can force account loss and downstream integrity issues (audit trails, attribution, and user-linked content).

Who is impacted

• WordPress sites running the WP DSGVO Tools (GDPR) plugin.
• Instances where pages containing the [unsubscribe_form] shortcode are accessible (the advisory states the required nonce is publicly available there).

Notes from the advisory:

• Vulnerability class: “Missing Authorization”.
• CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.

What to do now

• Follow the remediation guidance in the advisory:

  "Update to version 3.1.39, or a newer patched version"

• Inventory your WordPress fleet for the plugin slug shapepress-dsgvo and identify deployments running <= 3.1.38.
• Review site content/routing to identify any pages exposing the [unsubscribe_form] shortcode, since the advisory states the attack nonce is publicly obtainable from those pages.
• Treat this as a destructive integrity risk: if abuse is suspected, prioritize restoring impacted user accounts from backups (where possible) and reviewing audit trails for unexpected anonymization events tied to super-unsubscribe requests.