CVE-2026-10034
Deferred Deferred - Pending Action

Authorization Bypass in WP DSGVO Tools Plugin

Vulnerability report for CVE-2026-10034, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-22

Assigner: Wordfence

Description

The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.39. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to supply an arbitrary victim email address and trigger immediate SAR processing via the process_now and is_ajax parameters, receiving tokenized download links (zip_link, pdf_link) in the HTTP response that expose the victim's personal data β€” including WordPress account details, comment author names, email addresses, IP addresses, and comment content β€” without any proof of ownership. The nonce used for the CSRF check is publicly rendered by the SAR shortcode form and is shared across all anonymous visitors, meaning any unauthenticated attacker can trivially obtain a valid nonce and bypass this gate entirely.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-22
Generated
2026-07-09
AI Q&A
2026-06-20
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_dsgvo_tools wp_dsgvo_tools to 3.1.39 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves monitoring HTTP requests to the affected WordPress site for unauthorized use of the process_now and is_ajax parameters that trigger SAR processing.

Specifically, look for requests that include these parameters along with arbitrary victim email addresses and that receive tokenized download links (zip_link, pdf_link) in the HTTP response.

Since the nonce used for CSRF checks is publicly available and shared among anonymous visitors, any request containing a valid nonce with these parameters could indicate exploitation attempts.

  • Use network monitoring tools like tcpdump or Wireshark to capture HTTP traffic and filter for requests containing 'process_now' and 'is_ajax' parameters.
  • Example command to capture HTTP POST requests with suspicious parameters using tcpdump: tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E 'process_now|is_ajax'
  • Check web server logs (e.g., access.log) for requests containing these parameters and unusual email addresses.
Executive Summary

The WP DSGVO Tools (GDPR) plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 3.1.39. This happens because the plugin does not properly verify if a user is authorized to perform certain actions.

As a result, unauthenticated attackers can provide an arbitrary victim's email address and trigger immediate Subject Access Request (SAR) processing using specific parameters. They then receive tokenized download links in the HTTP response that expose the victim's personal data without any proof of ownership.

  • Exposed data includes WordPress account details, comment author names, email addresses, IP addresses, and comment content.

The nonce used for CSRF protection is publicly available and shared among all anonymous visitors, allowing attackers to easily obtain a valid nonce and bypass security checks.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of personal data belonging to users of the WordPress site using the vulnerable plugin.

  • Attackers can access sensitive information such as account details, email addresses, IP addresses, and comment content without authentication.
  • This exposure can compromise user privacy and potentially lead to further attacks or misuse of the exposed data.
Compliance Impact

This vulnerability allows unauthenticated attackers to access and download personal data of victims without any proof of ownership. The exposed data includes WordPress account details, comment author names, email addresses, IP addresses, and comment content.

Such unauthorized exposure of personal data directly conflicts with the requirements of data protection regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information to protect user privacy and ensure data security.

Therefore, the vulnerability can lead to non-compliance with these standards by enabling unauthorized data disclosure and failing to properly secure personal data.

Mitigation Strategies

Immediate mitigation steps include updating the WP DSGVO Tools (GDPR) plugin to a version later than 3.1.39 where the authorization bypass vulnerability is fixed.

If an update is not immediately possible, restrict access to the plugin's SAR processing endpoints to authenticated and authorized users only.

Additionally, consider implementing web application firewall (WAF) rules to block requests containing the process_now and is_ajax parameters from unauthenticated sources.

Monitor logs for suspicious activity and revoke any tokens or links that may have been exposed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10034. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart