CVE-2026-3535

Name of the Vulnerable Software and Affected Versions DSGVO Google Web Fonts GDPR plugin for WordPress versions up to and including 1.1

Description The DSGVO Google Web Fonts GDPR plugin for WordPress is susceptible to arbitrary file upload due to the absence of file type validation in the DSGVOGWPdownloadGoogleFonts() function. This function is accessible through a wp ajax nopriv hook, meaning no authentication is required. The function retrieves a URL provided by the user as a CSS file, extracts URLs from its content, and downloads these files to a publicly accessible directory without validating the file type. This allows unauthenticated attackers to upload arbitrary files, including PHP webshells, potentially leading to remote code execution. The exploit requires the use of one of the following themes: twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely.

Recommendations Versions up to and including 1.1: Update to a version that addresses the file type validation issue.