Vulnerabilities and security researches forshapepress-dsgvo shapepress-dsgvo

Jun 16, 2026

CVE, Research URL: baace2cbd82a03c25bf9c22728a60d962a77b1ea
Home page URL: Security reports for WP DSGVO Tools (GDPR)
Application: WP DSGVO Tools (GDPR)
Date: Sep 24, 2021
Research Description: WP DSGVO Tools (GDPR) [shapepress-dsgvo] < 3.1.24 WP DSGVO Tools (GDPR) <= 3.1.23 - Unauthenticated Stored Cross-Site Scripting The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 3.1.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.1.24.
Status: vulnerable

Apr 15, 2026

CVE, Research URL: CVE-2026-0914
Home page URL: Security reports for WP DSGVO Tools (GDPR)
Application: WP DSGVO Tools (GDPR)
Date: Jan 23, 2026
Research Description: The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lw_content_block' shortcode in all versions up to, and including, 3.1.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.1.37.
Status: vulnerable

Apr 13, 2026

CVE, Research URL: CVE-2026-4283
Home page URL: Security reports for WP DSGVO Tools (GDPR)
Application: WP DSGVO Tools (GDPR)
Date: Mar 24, 2026
Research Description: The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.
Affected versions: max 3.1.39.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2019-15777
Home page URL: Security reports for WP DSGVO Tools (GDPR)
Application: WP DSGVO Tools (GDPR)
Date: Aug 29, 2019
Research Description: The shapepress-dsgvo plugin before 2.2.19 for WordPress has wp-admin/admin-ajax.php?action=admin-common-settings&admin_email= XSS.
Affected versions: max 2.2.19.
Status: vulnerable

CVE, Research URL: CVE-2021-4358
Home page URL: Security reports for WP DSGVO Tools (GDPR)
Application: WP DSGVO Tools (GDPR)
Date: Jun 07, 2023
Research Description: The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 3.1.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.1.24.
Status: vulnerable

CVE, Research URL: CVE-2024-3201
Home page URL: Security reports for WP DSGVO Tools (GDPR)
Application: WP DSGVO Tools (GDPR)
Date: May 23, 2024
Research Description: The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pp_link' shortcode in all versions up to, and including, 3.1.32 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.1.33.
Status: vulnerable

CVE, Research URL: CVE-2021-42359
Home page URL: Security reports for WP DSGVO Tools (GDPR)
Application: WP DSGVO Tools (GDPR)
Date: Nov 06, 2021
Research Description: WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question.
Affected versions: max 3.1.24.
Status: vulnerable