CVE-2026-4298 PUBLISHED

DSGVO All in one for WP <= 4.9 - Missing Authorization to Authenticated (Subscriber+) Settings Reset

Assigner: Wordfence
Reserved: 16.03.2026 Published: 09.07.2026 Updated: 09.07.2026

The DSGVO All in one for WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 4.9. This is due to the dsgvo_reset_policy_service_func() function lacking both capability checks and nonce verification while processing user-supplied parameters to reset plugin options. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset all customized privacy policy content including cookie notices, Google Analytics policies, Facebook policies, and YouTube policies to their default values.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Product Status

Vendor mlfactory
Product DSGVO All in one for WP
Versions Default: unaffected
  • affected from 0 to 4.9 (incl.)

Credits

  • nudien udin finder
  • nudien finder

References

Problem Types

  • CWE-862 Missing Authorization CWE