Description
The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. The exploit requires the site to use one of a handful of specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely).
Published: 2026-04-08
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The DSGVO Google Web Fonts GDPR plugin for WordPress allows an attacker to upload arbitrary files because its download function does not check file types. The function is exposed through an unauthenticated AJAX hook, so anyone with internet access can supply a URL to a malicious file such as a PHP webshell. Once the file is written to a publicly accessible directory, the attacker can execute code on the host, leading to full system compromise.

Affected Systems

This vulnerability exists in all released versions of the DSGVO Google Web Fonts GDPR plugin from mlfactory up to and including version 1.1. It is actionable only when the site is using one of a small set of themes – twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely – because the plugin relies on those themes’ directory structures for file storage.

Risk and Exploitability

With a CVSS score of 9.8 the vulnerability is classified as critical. EPSS information is unavailable and the flaw is not in CISA’s KEV catalog, but the lack of authentication and the ability to place executable code make it highly exploitable in the identified environments. The attack vector is inferred to be through the unauthenticated wp_ajax_nopriv_ endpoint; sites that match the required themes represent a high-risk target set.

Generated by OpenCVE AI on April 8, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the DSGVO Google Web Fonts GDPR plugin to the latest release or uninstall it if upgrades are unavailable.
  • If an upgrade is not possible, disable the wp_ajax_nopriv_ endpoint or block the related AJAX request with a firewall rule.
  • Consider switching to a different WordPress theme that is not on the list of vulnerable themes to eliminate the file storage exploitation path.

Generated by OpenCVE AI on April 8, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Mlfactory
Mlfactory dsgvo Google Web Fonts Gdpr
Wordpress
Wordpress wordpress
Vendors & Products Mlfactory
Mlfactory dsgvo Google Web Fonts Gdpr
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. The exploit requires the site to use one of a handful of specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely).
Title DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Mlfactory Dsgvo Google Web Fonts Gdpr
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T18:04:51.531Z

Reserved: 2026-03-04T18:14:55.423Z

Link: CVE-2026-3535

cve-icon Vulnrichment

Updated: 2026-04-08T18:04:31.406Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T07:16:21.417

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-3535

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:45Z

Weaknesses