CVE-2026-4283 — AI Deep Analysis Summary

🚨 **Essence**: Critical flaw in WP DSGVO Tools (GDPR) plugin. The `super-unsubscribe` AJAX action lacks proper authorization checks.…

🛡️ **Root Cause**: **CWE-862** (Missing Authorization). The plugin fails to verify if the user initiating the `super-unsubscribe` action has the right permissions. It’s a classic 'IDOR' or 'Broken Access Control' flaw.

📦 **Affected**: **WP DSGVO Tools (GDPR)** by **legalweb**. Specifically versions **3.1.38 and earlier**. 🌐 **Platform**: WordPress sites running this specific GDPR compliance plugin.

💀 **Attacker Actions**: Can **destroy user accounts** without permission. This violates Integrity (I:H) and Availability (A:H) but currently has no direct Confidentiality leak (C:N). It’s about **unauthorized deletion**.

⚡ **Threshold**: **LOW**. CVSS Vector shows **AV:N** (Network), **AC:L** (Low Complexity), **PR:N** (No Privileges Required), **UI:N** (No User Interaction). Anyone can exploit this remotely.

🔍 **Exploit Status**: **No public PoC/Exp** listed in the data (`pocs: []`). However, the vulnerability is well-documented in source code diffs, making it easy to craft a manual exploit.

🔎 **Self-Check**: Scan for **WP DSGVO Tools** version < 3.1.38. Check if the `super-unsubscribe` AJAX endpoint is active. Look for missing nonce or capability checks in `unsubscribe-form-action.php`.

✅ **Fix Status**: **Yes**. The vendor (legalweb) has released patches. Update to the latest version immediately. References point to trunk and fixed tags in the WordPress plugin repository.

🚧 **No Patch?**: Disable the `super-unsubscribe` shortcode/function if possible. Restrict access to the plugin’s AJAX endpoints via `.htaccess` or WAF rules. Monitor for sudden user account deletions.

🔥 **Urgency**: **CRITICAL**. CVSS Score is high due to **High Integrity/Availability impact** and **No Auth required**. Patch immediately to prevent malicious account purging.