A vulnerability was found by the WordFence team in WP DSGVO Tools (GDPR), a WordPress plugin with over 30,000 installations. They were investigating the plugin to verify that their customers were fully protected from an actively exploited XSS issue, and found a flaw that allowed unauthenticated attackers to completely and permanently delete arbitrary posts and pages on a website.
The WP DSGVO Tools (GDPR) plugin contains functionality to let users request their personal information to be removed from a site. It also contained an AJAX action, admin-dismiss-unsubscribe, to allow administrators to “dismiss” these removal requests. The requests were stored in the WordPress posts table, so “dismissing” a data removal request simply involved deleting the associated post ID.
Unfortunately, the AJAX action was available to unauthenticated users, and the plugin did not check to see if the post to be deleted was actually a data removal request. As such, it was possible for any site visitor to delete any post or page on the site by sending an AJAX request with the admin-dismiss-unsubscribe action along with the ID of the post to be deleted. Sending the AJAX request once would move the post to the trash, while repeating the request would permanently delete it.
While it is true that site defacements have become less popular in recent years as they are more difficult to monetize, it would be trivial for an attacker to delete most of a site’s content in a way that would be impossible to recover unless the site’s database had been backed up.
We strongly recommend updating to the latest version of the plugin available immediately, which is 3.1.26 as of this writing, as it contains fixes for both the post deletion vulnerability and the XSS issue.