What the vulnerability does
01Description
The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. The exploit requires the site to use one of a handful of specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely).
Explanation of Vulnerability in Simple Terms
02Summary
The DSGVO Google Web Fonts GDPR plugin for WordPress allows unauthenticated attackers to upload arbitrary files to the site without restriction. An attacker can exploit this over the network without any user interaction. This enables them to upload malicious code, take control of the site, or steal sensitive data. All versions up to 1.1 are affected.
What an attacker can do
03Attacker Capabilities
Upload arbitrary files to the site and execute malicious code without authentication.
Potential impact on your site
04Site Impact
Complete site compromise: attackers can run code, steal data, or deface your WordPress installation.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 8, 2026
CVE published
April 8, 2026
Record updated