CVE-2026-11869 PUBLISHED

WP DSGVO Tools (GDPR) < 3.1.40 - Unauthenticated Sensitive Information Disclosure via Subject Access Request

Assigner: WPScan
Reserved: 10.06.2026 Published: 09.07.2026 Updated: 09.07.2026

The WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export (including name, postal address, phone number, email, and comment content) of any user, customer, or commenter by supplying their email address.

Product Status

Vendor Unknown
Product WP DSGVO Tools (GDPR)
Versions Default: unaffected
  • affected from 0 to 3.1.40 (excl.)

Credits

  • Shivamani Vastrala finder
  • WPScan coordinator

References

Problem Types

  • CWE-862 Missing Authorization CWE