EUVD-2026-20104
GHSA-x9xw-x29g-m332
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. The exploit requires the site to use one of a handful of specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely).
Analysis
Remote code execution in DSGVO Google Web Fonts GDPR WordPress plugin (all versions ≤1.1) allows unauthenticated attackers to upload PHP webshells via arbitrary file upload. The DSGVOGWPdownloadGoogleFonts() function, exposed through wp_ajax_nopriv_ hooks, accepts user-supplied URLs without file type validation and writes content to publicly accessible directories. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WordPress installations using DSGVO Google Web Fonts GDPR plugin version 1.1 or earlier via site inventory and security scanning tools; disable or deactivate the plugin immediately on all affected sites. Within 7 days: Remove the plugin entirely from all WordPress instances; audit web server logs for suspicious file uploads to wp-content and other publicly accessible directories; scan sites for uploaded webshells or backdoors using malware detection tools. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today