A critical vulnerability was found in WP DSGVO Tools (GDPR) plugin that allowed unauthenticated attackers to completely and permanently delete arbitrary posts and pages on a website.
The WP DSGVO Tools (GDPR) plugin contains functionality to let users request their personal information to be removed from a site. It also contained an AJAX action, admin-dismiss-unsubscribe, to allow administrators to “dismiss” these removal requests. The requests were stored in the WordPress posts table, so “dismissing” a data removal request simply involved deleting the associated post ID.
Unfortunately, the AJAX action was available to unauthenticated users, and the plugin did not check to see if the post to be deleted was actually a data removal request. As such, it was possible for any site visitor to delete any post or page on the site by sending an AJAX request with the admin-dismiss-unsubscribe action along with the ID of the post to be deleted. Sending the AJAX request once would move the post to the trash, while repeating the request would permanently delete it.
We strongly recommend updating to the latest version of the plugin available immediately, which is 3.1.26 as of this writing, as it contains fixes for both the post deletion vulnerability and the XSS issue.
