CVE-2026-11869
Received Received - Intake

Unauthenticated Data Export in WP DSGVO Tools Plugin

Vulnerability report for CVE-2026-11869, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: WPScan

Description

The WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export (including name, postal address, phone number, email, and comment content) of any user, customer, or commenter by supplying their email address.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_dsgvo_tools wp_dsgvo_tools to 3.1.40 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WP DSGVO Tools (GDPR) WordPress plugin, before version 3.1.40, has a critical vulnerability that allows unauthenticated attackers to access sensitive personal information without any authorization check.

This flaw exists in the Subject Access Request (SAR) feature of the plugin, where attackers can generate and download a full personal-data export of any user, customer, or commenter by simply providing their email address.

The exported data includes names, postal addresses, phone numbers, emails, and comment content. The attack requires no authentication or cookies and involves extracting a hidden nonce from the SAR form and sending a crafted request to retrieve a download link for the victim's data.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive personal information of users, customers, or commenters on a WordPress site using the affected plugin.

An attacker can obtain full personal data exports including names, postal addresses, phone numbers, emails, and comment content without any authentication.

Such a data breach can result in privacy violations, identity theft, reputational damage, and potential legal consequences for the site owner.

Compliance Impact

This vulnerability directly undermines compliance with data protection regulations such as GDPR by allowing unauthorized access to personal data.

Since GDPR mandates strict controls over personal data access and processing, the missing authorization check in the plugin's Subject Access Request feature violates these requirements.

Failure to protect personal data adequately can lead to regulatory penalties, legal liabilities, and loss of user trust.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized requests to the Subject Access Request (SAR) feature of the WP DSGVO Tools plugin. Specifically, look for HTTP requests that access the SAR form and include attempts to extract the hidden nonce and send crafted requests to generate personal-data exports.

Detection commands or methods may include inspecting web server logs for unusual POST or GET requests to the plugin's SAR endpoint, especially those containing email addresses as parameters without proper authentication.

For example, using command-line tools like curl or wget to simulate or detect such requests could help identify exploitation attempts.

  • Use web server log analysis tools or grep to find requests to the SAR form URL with email parameters.
  • Example command to search logs: grep -i 'subject_access_request' /var/log/apache2/access.log | grep -E 'email='
  • Monitor for requests that extract the hidden nonce and then send follow-up requests to download personal data.
Mitigation Strategies

The immediate and most effective mitigation step is to update the WP DSGVO Tools (GDPR) WordPress plugin to version 3.1.40 or later, where the authorization check issue has been fixed.

Until the update can be applied, restrict access to the SAR feature by limiting access to trusted users or IP addresses, or temporarily disabling the feature if possible.

Additionally, monitor your logs for suspicious activity related to the SAR feature to detect potential exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11869. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart