WP DSGVO Tools Missing Authorization Vulnerability Disclosure (CVE-2026-10034) Advisory

Vulnerability Overview Vulnerability Name: WP DSGVO Tools (GDPR) <= 3.1.39 - Missing Authorization to Unauthenticated Sensitive Personal Data Disclosure via subject-access-request AJAX Endpoint (process_now/is_ajax Parameters) CVE ID: CVE-2026-10034 CVSS Score: 5.3 (Medium) Release Date: June 18, 2026 Last Updated: June 19, 2026 Researcher: kalomba - KA_PENTEST Affected Scope Software Type: Plugin Software Slug: shaperspress-dsgvo Affected Versions: <= 3.1.39 Patched Version: 3.1.40 Remediation Mitigation: Update to version 3.1.40 or a later patched release. Vulnerability Description The WP DSGVO Tools (GDPR) plugin contains an authorization bypass vulnerability in WordPress, affecting all versions up to 3.1.39. This vulnerability arises because the plugin fails to properly verify whether the user is authorized to perform the action. This allows unauthenticated attackers to receive tokenized download links (e.g., .zip, .link, .pdf, .txt) containing the victim's personal data in the HTTP response, including WordPress account details, comment author names, email addresses, IP addresses, and comment content—without any proof of ownership. By providing an arbitrary victim's email address and triggering immediate Subject Access Request (SAR) processing via the and parameters, the data is exposed. Since the SAR shortcode form and CSRF checks are publicly rendered, any unauthenticated attacker can easily obtain a valid nonce and bypass this gateway. Reference Links plugins.trac.wordpress.org Share Options Facebook Twitter LinkedIn Email Additional Information Business Hours: 9am-6pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT, excluding weekends and holidays. Response Time: 365 days/year, 1-hour response time. Copyright Information Copyright: © 2012-2026 Defiant Inc. All Rights Reserved Other Links Terms of Service Privacy Policy and Notice at Collection Do Not Sell or Share My Personal Information Social Media X Facebook Instagram YouTube Products and Support Products: - Wordfence Free - Wordfence Premium - Wordfence Care - Wordfence Response - Wordfence CLI - Wordfence Intelligence - Wordfence Central Support: - Documentation - Learning Center - Free Support - Premium Support News: - Blog - In The News - Vulnerability Advisories About: - About Wordfence - Affiliate Program - Employment - Contact - Security - CVE Request Form Subscribe to Updates Subscribe: Register to receive news and updates from our team of experienced security professionals. Email: you@example.com Agree to Terms: By checking this box, I agree to the Terms of Service and Privacy Policy. Signature SIGN UP Other Cherubic --- Summary This vulnerability involves an authorization bypass issue in the WP DSGVO Tools (GDPR) plugin, affecting versions <= 3.1.39, with a CVSS score of 5.3. The remediation is to update to version 3.1.40 or higher.

Goal Reached Thanks to every supporter — we hit 100%!

WP DSGVO Tools Missing Authorization Vulnerability Disclosure (CVE-2026-10034) Advisory

More from this source