{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/account-destruction/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WP DSGVO Tools (GDPR) plugin"],"_cs_severities":["critical"],"_cs_tags":["wordpress","gdpr","account-destruction","cve-2026-4283"],"_cs_type":"advisory","_cs_vendors":["WP DSGVO Tools"],"content_html":"\u003cp\u003eThe WP DSGVO Tools (GDPR) plugin for WordPress, in versions up to and including 3.1.38, contains a critical vulnerability (CVE-2026-4283) that allows unauthenticated attackers to destroy user accounts. The vulnerability resides in the \u003ccode\u003esuper-unsubscribe\u003c/code\u003e AJAX action, which is intended to handle account anonymization requests. However, by providing the \u003ccode\u003eprocess_now=1\u003c/code\u003e parameter along with a target user's email address, an attacker can bypass the email confirmation flow and immediately trigger the irreversible account anonymization process. The nonce value required for this AJAX request is exposed on any page containing the \u003ccode\u003e[unsubscribe_form]\u003c/code\u003e shortcode, making exploitation straightforward. This issue poses a significant risk to WordPress sites utilizing the affected plugin, potentially leading to widespread data loss and disruption of services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of the WP DSGVO Tools (GDPR) plugin (\u0026lt;= 3.1.38).\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a page on the target site that includes the \u003ccode\u003e[unsubscribe_form]\u003c/code\u003e shortcode to obtain the required nonce.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the \u003ccode\u003esuper-unsubscribe\u003c/code\u003e action endpoint (e.g., \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003esuper-unsubscribe\u003c/code\u003e, the \u003ccode\u003eprocess_now\u003c/code\u003e parameter set to \u003ccode\u003e1\u003c/code\u003e, the victim's email address, and the extracted nonce value.\u003c/li\u003e\n\u003cli\u003eThe WordPress server processes the request without requiring email confirmation due to the \u003ccode\u003eprocess_now=1\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe targeted user account undergoes irreversible anonymization: password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped.\u003c/li\u003e\n\u003cli\u003eThe victim loses access to their account, and their data is effectively destroyed.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4283 allows an unauthenticated attacker to permanently destroy non-administrator user accounts on affected WordPress sites. This leads to a loss of user data, disruption of services for affected users, and potential reputational damage for the website owner. The vulnerability affects all sites running the WP DSGVO Tools (GDPR) plugin versions 3.1.38 and earlier. A successful attack renders the targeted user account unusable, requiring manual intervention to recover (if possible).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the WP DSGVO Tools (GDPR) plugin to version 3.1.39 or later to patch CVE-2026-4283.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Unauthenticated Account Destruction Attempt via WP GDPR Plugin\u0026quot; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with \u003ccode\u003eaction=super-unsubscribe\u003c/code\u003e and \u003ccode\u003eprocess_now=1\u003c/code\u003e, as detected by the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-wp-gdpr-account-destruction/","summary":"The WP DSGVO Tools (GDPR) WordPress plugin before version 3.1.39 is vulnerable to unauthenticated account destruction via the `super-unsubscribe` AJAX action, allowing attackers to irreversibly anonymize non-administrator user accounts.","title":"WP DSGVO Tools (GDPR) Plugin Vulnerable to Account Destruction (CVE-2026-4283)","url":"https://feed.craftedsignal.io/briefs/2024-01-wp-gdpr-account-destruction/"}],"language":"en","title":"CraftedSignal Threat Feed - Account-Destruction","version":"https://jsonfeed.org/version/1.1"}