Back to KEVs

CVE-2021-42359

WP DSGVO Tools (GDPR) <= 3.1.23 Unauthenticated Arbitrary Post Deletion

Basic Information

CVE State
PUBLISHED
Reserved Date
October 14, 2021
Published Date
November 05, 2021
Last Updated
February 14, 2025
Vendor
legalweb
Product
WP DSGVO Tools (GDPR)
Description
WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question.
Tags
nuclei_scanner

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2.0

6.4

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P

EPSS Score

Score
1.45% (Percentile: 79.68%) as of 2025-05-12

SSVC Information

Exploitation
none
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2021-11-02 07:04:17 UTC) Source

References

https://www.wordfence.com/blog/2021/11/vulnerability-in-wp-dsgvo-tools-gdpr-plugin-allows-unauthenticated-page-deletion/

Known Exploited Vulnerability Information

Source Added Date
Wordfence 2021-11-02 07:04:17 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-42359.yaml 2026-06-01 15:34:31 UTC

Timeline

  • CVE ID Reserved

  • Added to KEVIntel

  • CVE Published to Public

  • Detected by Nuclei