CVE-2026-11869 in WP DSGVO Tools Plugininfo

Summary

by MITRE • 07/09/2026

The WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export (including name, postal address, phone number, email, and comment content) of any user, customer, or commenter by supplying their email address.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/09/2026

The WP DSGVO Tools WordPress plugin vulnerability represents a critical authorization bypass flaw that directly impacts data protection compliance and user privacy. This issue affects versions prior to 3.1.40 and specifically targets the plugin's data subject access request functionality, which is designed to handle GDPR-compliant data requests from users. The vulnerability stems from insufficient access controls within the immediate-processing path of the plugin's administrative features, creating a pathway for unauthorized individuals to exploit the system without proper authentication credentials.

The technical implementation flaw allows attackers to leverage the plugin's legitimate data export mechanisms through a simple email address input parameter. When an unauthenticated user submits an email address through the affected processing path, the system automatically generates and prepares a comprehensive personal data export package containing sensitive information including names, postal addresses, phone numbers, email addresses, and comment content from the targeted user accounts. This represents a fundamental failure in the plugin's access control implementation and violates core security principles of least privilege and authentication enforcement.

The operational impact of this vulnerability extends beyond simple data exposure to create significant compliance risks for organizations using WordPress platforms. The ability to download complete personal data sets without authentication directly contravenes GDPR Article 25 requirements for data protection by design and by default, as well as violates the principle that only authorized personnel should have access to personal data. Organizations may face regulatory penalties, legal liability, and reputational damage from unauthorized data access, particularly in industries where customer privacy is paramount such as healthcare, finance, or e-commerce sectors.

This vulnerability aligns with CWE-863 (Incorrect Authorization) and maps to ATT&CK technique T1566 (Phishing) and T1078 (Valid Accounts) within the adversary tactics framework. The flaw represents a classic case of insufficient input validation and access control enforcement where the system fails to verify that the requestor has legitimate authorization to access the requested personal data. Security professionals should note this vulnerability as particularly dangerous due to its low complexity attack vector requiring only an email address, making it accessible to attackers with minimal technical expertise.

The recommended mitigations include immediate patching of the WP DSGVO Tools plugin to version 3.1.40 or later, which implements proper authorization checks for data subject access requests. Organizations should also consider implementing additional monitoring controls to detect unauthorized access attempts and review their WordPress plugin security posture regularly. Network segmentation and web application firewalls can provide additional defense-in-depth measures while strict access control policies should be enforced across all administrative interfaces to prevent similar authorization bypass vulnerabilities from occurring in other system components.

Organizations utilizing this plugin must conduct comprehensive audits of their user data access controls and implement proper logging mechanisms to track data subject requests. The vulnerability demonstrates the critical importance of maintaining up-to-date security patches and performing regular security assessments of third-party plugins, particularly those handling sensitive personal data. Implementation of automated vulnerability scanning tools and security monitoring systems can help identify similar authorization flaws in other components of the WordPress ecosystem and prevent exploitation of similar vulnerabilities across different plugin implementations.

Responsible

WPScan

Reservation

06/10/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!