CVE-2026-24539

The WordPress plugin 'Protección de datos – RGPD' (versions up to and including 0.68) contains a missing authorization vulnerability. The absence of proper access control checks in certain functions allows an attacker to bypass intended security levels, potentially enabling actions that should require higher privileges [1].

Exploitation does not require authentication and can be carried out by sending crafted requests to the affected WordPress site. The vulnerability has been flagged as being used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1]. The attack surface is broad due to the plugin's widespread use for GDPR compliance.

The impact is considered low severity according to the reference, yet the missing authorization could allow attackers to access or manipulate protected data or settings within the plugin, breaking the intended security boundary [1]. Given its use in mass exploits, the real-world risk may be higher than the CVSS score suggests (5.3).

The vendor has released version 0.69 which resolves the issue; users are strongly advised to update immediately. If unable to update, contacting the hosting provider or a web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].