CVE-2026-11869: CWE-862 Missing Authorization in WP DSGVO Tools (GDPR)
The WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export (including name, postal address, phone number, email, and comment content) of any user, customer, or commenter by supplying their email address.
AI Analysis
Technical Summary
CVE-2026-11869 is a missing authorization vulnerability (CWE-862) in the WP DSGVO Tools (GDPR) WordPress plugin before version 3.1.40. The plugin fails to verify that a requester is authorized to access personal data when processing data subject access requests. This flaw enables unauthenticated attackers to generate and download full personal data exports of any user, customer, or commenter by supplying their email address, potentially exposing sensitive personal information.
Potential Impact
An attacker can obtain sensitive personal information of any user, including name, postal address, phone number, email, and comment content, without authentication. This breach of privacy can lead to identity theft, targeted phishing, and other privacy violations. The vulnerability affects the confidentiality of user data managed by the plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the plugin's data subject access request feature and monitor for suspicious activity related to data export requests.
CVE-2026-11869: CWE-862 Missing Authorization in WP DSGVO Tools (GDPR)
Description
The WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export (including name, postal address, phone number, email, and comment content) of any user, customer, or commenter by supplying their email address.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-11869 is a missing authorization vulnerability (CWE-862) in the WP DSGVO Tools (GDPR) WordPress plugin before version 3.1.40. The plugin fails to verify that a requester is authorized to access personal data when processing data subject access requests. This flaw enables unauthenticated attackers to generate and download full personal data exports of any user, customer, or commenter by supplying their email address, potentially exposing sensitive personal information.
Potential Impact
An attacker can obtain sensitive personal information of any user, including name, postal address, phone number, email, and comment content, without authentication. This breach of privacy can lead to identity theft, targeted phishing, and other privacy violations. The vulnerability affects the confidentiality of user data managed by the plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the plugin's data subject access request feature and monitor for suspicious activity related to data export requests.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WPScan
- Date Reserved
- 2026-06-10T12:15:34.139Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4f46b8c9d9e3dbe3ae73d2
Added to database: 07/09/2026, 06:59:04 UTC
Last enriched: 07/09/2026, 07:14:49 UTC
Last updated: 07/09/2026, 08:12:01 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.