Description
The WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export (including name, postal address, phone number, email, and comment content) of any user, customer, or commenter by supplying their email address.
Problem types
Product status
Any version before 3.1.40
Credits
Shivamani Vastrala
WPScan
References
wpscan.com/...rability/49170650-0006-4f3b-90f4-f8bb176beb7b/