WordPress Plugin Vulnerabilities

WP DSGVO Tools (GDPR) < 3.1.40 - Unauthenticated Sensitive Information Disclosure via Subject Access Request

Description

The plugin does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export (including name, postal address, phone number, email, and comment content) of any user, customer, or commenter by supplying their email address.

Proof of Concept

Affects Plugins

Fixed in 3.1.40

References

Classification

Type
NO AUTHORISATION
CWE
CVSS

Miscellaneous

Original Researcher
Shivamani Vastrala
Submitter
Shivamani Vastrala
Verified
Yes

Timeline

Publicly Published
2026-06-18 (about 21 days ago)
Added
2026-06-18 (about 20 days ago)
Last Updated
2026-06-18 (about 20 days ago)

Other