{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3535", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-04T18:14:55.423Z", "datePublished": "2026-04-08T06:43:38.955Z", "dateUpdated": "2026-04-08T18:04:51.531Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:57.658Z"}, "affected": [{"vendor": "mlfactory", "product": "DSGVO Google Web Fonts GDPR", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. The exploit requires the site to use one of a handful of specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely)."}], "title": "DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6203ffaf-5efd-4c66-85f0-cc3a05a03084?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dsgvo-google-web-fonts-gdpr/tags/1.1/dsgvo-google-web-fonts-gdpr.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/dsgvo-google-web-fonts-gdpr/tags/1.1/dsgvo-google-web-fonts-gdpr.php#L159"}, {"url": "https://plugins.trac.wordpress.org/browser/dsgvo-google-web-fonts-gdpr/trunk/dsgvo-google-web-fonts-gdpr.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/dsgvo-google-web-fonts-gdpr/trunk/dsgvo-google-web-fonts-gdpr.php#L159"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-04-07T17:40:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:03:46.198479Z", "id": "CVE-2026-3535", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:04:51.531Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. The exploit requires the site to use one of a handful of specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely)."}], "id": "CVE-2026-3535", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T07:16:21.417", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dsgvo-google-web-fonts-gdpr/tags/1.1/dsgvo-google-web-fonts-gdpr.php#L159"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dsgvo-google-web-fonts-gdpr/tags/1.1/dsgvo-google-web-fonts-gdpr.php#L46"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dsgvo-google-web-fonts-gdpr/trunk/dsgvo-google-web-fonts-gdpr.php#L159"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dsgvo-google-web-fonts-gdpr/trunk/dsgvo-google-web-fonts-gdpr.php#L46"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6203ffaf-5efd-4c66-85f0-cc3a05a03084?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DSGVO Google Web Fonts GDPR", "source": "cna", "vendor": "mlfactory"}, "product": "dsgvo_google_web_fonts_gdpr", "vendor": "mlfactory"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T08:23:52.538475+00:00", "value": {"mitigation_remediation": ["Update the DSGVO Google Web Fonts GDPR plugin to the latest release or uninstall it if upgrades are unavailable.", "If an upgrade is not possible, disable the wp_ajax_nopriv_ endpoint or block the related AJAX request with a firewall rule.", "Consider switching to a different WordPress theme that is not on the list of vulnerable themes to eliminate the file storage exploitation path."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "This vulnerability exists in all released versions of the DSGVO Google Web Fonts GDPR plugin from mlfactory up to and including version 1.1. It is actionable only when the site is using one of a small set of themes \u2013 twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely \u2013 because the plugin relies on those themes\u2019 directory structures for file storage.", "description_and_impact": "The DSGVO Google Web Fonts GDPR plugin for WordPress allows an attacker to upload arbitrary files because its download function does not check file types. The function is exposed through an unauthenticated AJAX hook, so anyone with internet access can supply a URL to a malicious file such as a PHP webshell. Once the file is written to a publicly accessible directory, the attacker can execute code on the host, leading to full system compromise.", "risk_and_exploitability": "With a CVSS score of 9.8 the vulnerability is classified as critical. EPSS information is unavailable and the flaw is not in CISA\u2019s KEV catalog, but the lack of authentication and the ability to place executable code make it highly exploitable in the identified environments. The attack vector is inferred to be through the unauthenticated wp_ajax_nopriv_ endpoint; sites that match the required themes represent a high-risk target set."}}}}, "created": "2026-04-08T19:31:12.103648+00:00", "updated": "2026-04-08T19:43:45.586549+00:00", "vendors": ["mlfactory", "mlfactory$PRODUCT$dsgvo_google_web_fonts_gdpr", "wordpress", "wordpress$PRODUCT$wordpress"]}