CVE-2024-13356 is a medium severity Cross-Site Request Forgery (CSRF) vulnerability identified in the DSGVO All in one for WP plugin for WordPress, affecting all versions up to and including 4.6. The vulnerability stems from missing or incorrect nonce validation in the user_remove_form.php file, which is responsible for handling admin user removal requests. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from malicious third-party sites. The absence or improper implementation of nonce validation allows an attacker to craft a malicious request that, when executed by an authenticated administrator (e.g., by clicking a specially crafted link), results in the deletion of admin user accounts without their explicit consent. This attack does not require the attacker to be authenticated but does require user interaction from an admin. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) reflects that the attack can be launched remotely over the network with low complexity, no privileges required, but requires user interaction. The impact is high on integrity because admin accounts can be deleted, potentially locking out legitimate administrators and compromising site management. There is no direct impact on confidentiality or availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple administrators or high-value content. The vulnerability was published on February 4, 2025, and is assigned by Wordfence. No official patches or updates are listed, so mitigation may require manual intervention or plugin updates once available.

The primary impact of this vulnerability is the unauthorized deletion of administrator user accounts on WordPress sites using the affected DSGVO All in one for WP plugin. This can lead to loss of administrative control, preventing legitimate admins from managing the site, applying security updates, or responding to incidents. Such a loss of control can facilitate further attacks, including site defacement, data manipulation, or installation of malicious code by attackers who gain access through other means. Since the attack requires an admin to interact with a malicious link, social engineering is a key factor, increasing the risk in environments where admins may be targeted via phishing. The integrity of the site is severely compromised, but confidentiality and availability are not directly affected by this vulnerability. Organizations relying on this plugin, especially those with multiple administrators or high-profile WordPress sites, face increased risk of site takeover or disruption of site management.

Organizations should immediately verify if they are using the DSGVO All in one for WP plugin version 4.6 or earlier and plan to update to a patched version once available. In the absence of an official patch, administrators should implement the following mitigations: 1) Restrict administrative access to trusted networks or VPNs to reduce exposure to CSRF attacks. 2) Educate administrators about the risks of clicking on unsolicited or suspicious links, especially those received via email or messaging platforms. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious CSRF attempts targeting the user_remove_form.php endpoint. 4) Manually inspect and harden the plugin code by adding proper nonce validation in the user removal functionality if feasible. 5) Regularly back up WordPress user data and site configurations to enable quick recovery if admin accounts are deleted. 6) Monitor admin account changes and set up alerts for unexpected deletions or modifications. These steps will help reduce the risk of exploitation until an official patch is released.