WP DSGVO Tools (GDPR) < 3.1.24 – Unauthenticated Arbitrary Post Deletion | CVE 2021-42359 | Plugin Vulnerabilities

Description

The ‘admin-dismiss-unsubscribe‘ AJAX action in WP DSGVO Tools (GDPR) <= 3.1.23 lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question.

Affects Plugins

shapepress-dsgvo

Fixed in 3.1.24

References

CVE

URL

https://www.wordfence.com/blog/2021/11/vulnerability-in-wp-dsgvo-tools-gdpr-plugin-allows-unauthenticated-page-deletion/

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall

Submitter

Ramuel Gall

Submitter twitter

Verified

Yes

WPVDB ID

9b4e6bf3-52be-41ec-8f39-b039146796b1

Timeline

Publicly Published

2021-11-02 (about 4 years ago)

Added

2021-11-02 (about 4 years ago)

Last Updated

2022-04-13 (about 4 years ago)

Other

Published

Title

Published

2025-12-04

Title

Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification < 2.0.45 - Authentication Bypass to Account Takeover

Published

2024-12-03

Title

WooCommerce < 9.4.3 - Unauthenticated Order Creation

Published

2015-03-03

Title

Google Captcha <= 1.12 - Authentication Bypass

Published

2024-09-30

Title

Wechat Social login <= 1.3.0 - Authentication Bypass

Published

2018-10-20

Title

Accelerated Mobile Pages <= 0.9.97.19 - Multiple Unauthenticated Vulnerabilities