CVE-2026-4283 is a missing authorization vulnerability (CWE-862) in the WP DSGVO Tools (GDPR) WordPress plugin up to version 3.1.38. The issue arises because the `super-unsubscribe` AJAX action accepts a `process_now` parameter from unauthenticated users, allowing them to bypass the email confirmation flow and immediately anonymize user accounts irreversibly. Exploitation requires only the victim's email address and a publicly available nonce from pages containing the `[unsubscribe_form]` shortcode. The attack results in permanent destruction of any non-administrator user account by randomizing passwords, overwriting usernames/emails, stripping roles, anonymizing comments, and wiping sensitive user metadata. There is no vendor advisory or patch information available at this time.

Successful exploitation leads to permanent destruction of non-administrator user accounts on affected WordPress sites using the vulnerable plugin version. This includes loss of user credentials, identity data, roles, comments, and sensitive metadata, effectively denying account access and data integrity for victims. The integrity and availability of user accounts are severely impacted. No confidentiality impact is indicated. The vulnerability has a critical CVSS score of 9.1 due to network attack vector, no privileges required, no user interaction, and high impact on integrity and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, site administrators should consider disabling or removing the WP DSGVO Tools (GDPR) plugin or restricting access to the unsubscribe functionality to authenticated users only. Monitoring for suspicious unsubscribe requests and limiting exposure of the nonce may reduce risk but do not fully mitigate the vulnerability.