CVE-2026-3535
Received Received - Intake
Unauthenticated Arbitrary File Upload in DSGVO Google Web Fonts Plugin

Publication date: 2026-04-08

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. The exploit requires the site to use one of a handful of specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3535
EUVD
EUVD-2026-20104
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The DSGVO Google Web Fonts GDPR plugin for WordPress has a vulnerability that allows attackers to upload arbitrary files without proper validation. This happens because the function DSGVOGWPdownloadGoogleFonts() accepts a user-supplied URL, fetches it as a CSS file, extracts URLs from it, and downloads those files to a public directory without checking the file types.

Since this function is accessible via a wp_ajax_nopriv_ hook, no authentication is required to exploit it. Attackers can upload malicious files, including PHP webshells, which can then be executed remotely.

However, the exploit only works if the WordPress site uses one of certain themes: twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely.

Impact Analysis

This vulnerability can have severe impacts because it allows unauthenticated attackers to upload and execute arbitrary code on the affected WordPress site.

  • Remote code execution leading to full site compromise.
  • Potential data theft or manipulation.
  • Defacement or disruption of website services.
  • Use of the compromised site as a launchpad for further attacks.
Compliance Impact

The vulnerability allows unauthenticated attackers to upload arbitrary files, including PHP webshells, leading to remote code execution on affected WordPress sites. This can result in unauthorized access to sensitive data and system compromise.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3535. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart