DNA View

Critical Severity Vulnerability

This vulnerability has been rated as Critical severity. Immediate action is recommended.

CVE-2026-3535

Critical

Low Medium High Critical

9.8

CVSS Score

Published: Apr 08, 2026

Last Modified: Apr 27, 2026

CWE: CWE-434

Vulnerability Description

The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. The exploit requires the site to use one of a handful of specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely).

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

References & Resources

Severity Details

9.8

out of 10.0

Critical

Weakness Type (CWE)

CWE-434 Top 25 #5

Unrestricted Upload of File with Dangerous Type

Description: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Exploit Likelihood: Medium
Typical Severity: Medium
OWASP Top 10: A04:2021-Insecure Design
Abstraction Level: Base