The WP DSGVO Tools (GDPR) plugin for WordPress contains a critical vulnerability in versions up to 3.1.38 that allows unauthorized account destruction. The vulnerability exists in the 'super-unsubscribe' AJAX action which accepts a 'process_now' parameter from unauthenticated users, bypassing email confirmation flows. Attackers can permanently destroy non-administrator user accounts by submitting victim email addresses with 'process_now=1'. The attack results in randomized passwords, overwritten usernames/emails, stripped roles, anonymized comments, and wiped sensitive metadata. The required nonce is publicly available on pages containing the '[unsubscribe_form]' shortcode, making exploitation straightforward.