CVE-2026-3535 in DSGVO Google Web Fonts GDPR Pluginالمعلومات

الملخص

بحسب MITRE • 08/04/2026

The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. The exploit requires the site to use one of a handful of specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely).

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

Wordfence

حجز

04/03/2026

إفشاء

08/04/2026

الاعتدال

تمت الموافقة

إدخال

VDB-356021

CPE

جاهز

CWE

CWE-434 (مؤكد)

CVSS

9.8 (CNA)

EPSS

0.00138

KEV

لا

النشاطات

منخفض جدًا

القطاع

Hostingprovider

المصادر

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-3535
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-3535
CVE Details	https://www.cvedetails.com/cve/CVE-2026-3535/

التالي ▸نظرة عامة ◂ السابق

Do you know our Splunk app?

Download it now for free!