A critical logic flaw in the WP DSGVO Tools plugin enables unauthenticated attackers to irreversibly delete and anonymize user accounts, leading to massive data loss.

The super-unsubscribe AJAX action incorrectly accepts a process_now parameter from unauthenticated users. This bypasses the required email verification, allowing an attacker to trigger immediate account anonymization using only a victim's email address and a publicly available nonce.

The impact is a permanent loss of user data and account access. Attackers can systematically destroy user databases, overwriting usernames and emails and stripping roles. While administrators are reportedly exempt, the reputational damage and loss of customer data for all other user tiers are severe. The CVSS score of 9.1 reflects this high impact on availability and integrity.

Immediate Action: Update the WP DSGVO Tools (GDPR) plugin to the latest version immediately.

Proactive Monitoring: Review AJAX logs for high volumes of requests to the super-unsubscribe action, which may indicate a scripted attack against your user base.

Compensating Controls: Temporarily disable the [unsubscribe_form] shortcode or restrict access to the AJAX endpoint to authenticated users only until the patch is applied.

Public Exploit Available: No

Immediate patching is required to protect user accounts. Organizations should also verify their backup and recovery procedures for user tables in case an attack occurs before the patch can be implemented.